Western Alliance Bank has announced a data breach affecting 21,899 people, that was caused by an October 2024 cyberattack on a third-party file transfer software. The breach exposed sensitive personal and financial information, including names, Social Security numbers, driver’s license details, and financial account numbers.
The bank said the malicious actors exploited a zero-day vulnerability in the third-party software to breach a limited number of Western Alliance systems and exfiltrate files stored on the compromised devices. Western Alliance found that customer data was exfiltrated from its network only after discovering that the attackers leaked some files stolen from its systems.
The breach happened on 12 October 2024, following the use by threat actors of an undisclosed vulnerability in the file transfer system to gain unauthorized entry into a secured section of Western Alliance’s network. The bank discovered the breach on 27 January 2025, and in February, it determined that personal data had been exfiltrated.
Western Alliance discovered the breach when hackers published allegedly stolen information online. Despite the security breach, the bank informed the Securities and Exchange Commission (SEC) in a filing that the breach would not have a material impact on its financials.
Affected People and Response
In breach notification letters sent to the affected customers, and filed with the Office of Maine’s Attorney General, the company said that the unauthorized actor acquired certain files from the systems between 12 and 24 October last year.
An analysis of the stolen files concluded on 21 February 2025, and found they contained customer personal information, including name and Social Security number, as well as dates of birth, financial account numbers, driver’s license numbers, tax identification numbers, and/or passport information if it was provided to Western Alliance.
The bank is offering one year of identity protection services through Experian IdentityWorks Credit 3B to mitigate the potential risks from the exposure.
Not Enough Oversight
This breach shines a light on the ongoing cybersecurity risk of third-party services, particularly in financial institutions that handle sensitive data. IT security professionals should take this incident as a reminder to constantly monitor third-party vendor security, patch vulnerabilities promptly, and maintain proactive monitoring systems to detect breaches earlier.
Commenting on this, Akhil Mittal, senior security consulting manager at Black Duck, said: “Organisations continue to trust third-party software without enough oversight, and every few months, the same scenario plays out—a vendor gets breached, sensitive data is stolen, and customers get offered a year of credit monitoring that does little to fix the real issue.
“This isn’t just about Western Alliance—it’s a systemic problem with third-party risk. Financial institutions spend millions on cybersecurity, yet many still lack real-time visibility into their vendors’ security. ‘Trust but verify’ isn’t enough anymore. If a third-party tool handles sensitive data, it needs continuous monitoring, not just a compliance checklist. Customers aren’t shocked when financial institutions get hacked; they expect it. It’s essential for financial institutions to detect and notify their customers of any data loss as soon as possible to prevent further loss and ensure the right next steps are taken quickly.”
Third-party Security Challenges
The breach at Western Alliance Bank underscores two key aspects, adds Piyush Pandey, CEO at Pathlock. “First, it highlights the growing challenge of mitigating vulnerabilities in third-party applications amidst the complexity of modern IT ecosystems in the financial sector. Continuous vulnerability scanning and robust patch management should be implemented to address this issue.
Second, Pandey says it emphasizes the need for real-time sensitive data access monitoring. Anomalous access attempts should be detected and terminated at an early stage to prevent potential exfiltration and data leaks. “These are critical aspects of security in the financial sector, especially given its highly regulated nature concerning data protection and privacy and potential negative consequences for companies in terms of compliance fines.”
Not Enough Oversight
Akhil Mittal, Senior Manager at Black Duck, says organizations continue to trust third-party software without enough oversight and every few months, the same scenario plays out—a vendor gets breached, sensitive data is stolen and customers get offered a year of credit monitoring that does little to fix the real issue.
“This isn’t just about Western Alliance—it’s a systemic problem with third-party risk. Financial institutions spend millions on cybersecurity, yet many still lack real-time visibility into the security of their vendors. ‘Trust but verify’ isn’t enough anymore. If a third-party tool handles sensitive data, it needs continuous monitoring, not just a compliance checklist. Customers aren’t shocked when financial institutions get hacked; they expect it. It’s essential for financial institutions to detect and notify their customers of any data loss as soon as possible to prevent further loss and ensure the right next steps are taken quickly,” Mittal ends.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.