{"id":2403,"date":"2025-03-19T12:20:45","date_gmt":"2025-03-19T12:20:45","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2403"},"modified":"2025-03-19T12:20:45","modified_gmt":"2025-03-19T12:20:45","slug":"about-22k-wab-customers-impacted-by-a-zero-day-attack-on-a-third-party-vendor","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2403","title":{"rendered":"About 22k WAB customers impacted by a zero-day attack on a third-party vendor"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Western Alliance Bank (WAB) has disclosed that a data breach at its third-party vendor\u2019s secure file transfer software has compromised personal information for nearly 22,000 customers.<\/p>\n<p>In a letter to potentially affected customers, the Arizona-based regional bank\u2013operating over 50 branches with $80 billion in assets\u2013disclosed that forensic analysis indicated unauthorized access to financial data, social security numbers, and other sensitive information.<\/p>\n<p>\u201cWe reviewed the contents of the files acquired by the third party to determine if they contained any personal information,\u201d the bank said in the letter. \u201cOn February 21, 2025, we determined that the files contained some of your personal information, including your name and Social Security number. The files may have also contained your date of birth, financial account number, driver\u2019s license number, tax identification number, and\/or passport, if you provided it to Western Alliance.\u201d\u00a0<\/p>\n<p>The bank had first disclosed the incident in a February <a href=\"https:\/\/www.sec.gov\/Archives\/edgar\/data\/1212545\/000121254525000090\/wal-20241231.htm\">SEC filing<\/a>, revealing that a limited number of WAB systems were hacked using a zero-day vulnerability affecting one of the bank\u2019s third-party vendor\u2019s secure file transfer software.<\/p>\n<p>\u201cThe Company was made aware of a zero-day vulnerability at the vendor on October 27, 2024 (the \u201cVendor Incident\u201d), and immediately activated its incident response process to investigate and deployed all patches as recommended by the software developer. The Company and its information security consultants found no evidence of any unlawful infiltration or exfiltration of any Company or customer data until January 27, 2025, when the Company\u2019s surveillance process identified files related to the Vendor Incident published by the threat actor. The files included data flowing through the file transfer software between October 12-24, 2024, prior to notification of the Vendor Incident,\u201d the company wrote in its SEC filing.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>PII, financial details likely compromised<\/h2>\n<p>While the bank had said in the SEC filing, citing the preliminary investigation, that it found no unlawful \u201cinfiltration or exfiltration of any company or customer data\u201d until January 27, 2025 (also the day the incident was discovered), it sent out letters to customers on March 14, 2025, revealing the new findings.<\/p>\n<p>In a breach notification filed with the Office of Maine\u2019s Attorney General, the bank said it believes a total of 21,899 customers to be affected by the breach.<\/p>\n<p>According to the letters, the compromised data includes name, date of birth, driver\u2019s license number, tax identification number, social security number, financial account number, and passport number (if provided to the bank).<\/p>\n<p>An attacker could potentially use this information to carry out identity theft, financial fraud, and social engineering or phishing attacks.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Clop ransomware claimed breach in January<\/h2>\n<p>While the SEC filing did not name the third-party software exploited in the attacks or the threat actor involved, Clop ransomware group had claimed a <a href=\"https:\/\/x.com\/H4ckManac\/status\/1879437025922760866\">massive breach of 58 companies<\/a> that included WAB and used <a href=\"https:\/\/www.csoonline.com\/article\/3621746\/attackers-exploit-zero-day-rce-flaw-in-cleo-managed-file-transfer.html\">vulnerabilities<\/a> in Cleo\u2019s managed file transfer platforms in January.<\/p>\n<p>WAB did not respond to queries seeking attack details and Cleo connections at the time of publishing of this article. In May 2023, Clop claimed responsibility for the infamous MoveIT cyberattack that has, to date, affected 2,611 organizations worldwide.<\/p>\n<p>\u201cThis is not the first secure file transfer software to be exploited by a zero-day,\u201d Paul Underwood, vice president at Neovera told CSO. \u201cKiteWorks Accellion software was compromised in a <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa21-055a\">zero-day vulnerability<\/a> in its FTA product, which led to a series of cyberattacks in late 202, and early 2021.\u201d<\/p>\n<p>Companies need to start doing better due diligence on what software they are using to store potentially sensitive information, he added. \u201cEncryption should be implemented using public\/private key pairs, along with hardware security measures like HSMs to protect the keys.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Western Alliance Bank (WAB) has disclosed that a data breach at its third-party vendor\u2019s secure file transfer software has compromised personal information for nearly 22,000 customers. In a letter to potentially affected customers, the Arizona-based regional bank\u2013operating over 50 branches with $80 billion in assets\u2013disclosed that forensic analysis indicated unauthorized access to financial data, social [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2400,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2403","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2403"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2403"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2403\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2400"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2403"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2403"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2403"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}