Full Report
Phoenix-based Western Alliance Bank filed data breach notices saying about 22,000 people were affected by an incident involving file transfer software.
Analysis Summary
# Incident Report: Western Alliance Bank - Third-Party File Transfer Compromise
## Executive Summary
Western Alliance Bank suffered a data breach in the fall of 2024 after an attacker exploited an unknown vulnerability in a third-party vendor’s secure file transfer software (believed to be Cleo). The incident resulted in the exfiltration of sensitive personal identifying information (PII) belonging to over 21,000 individuals. The bank discovered the breach in January 2025 and has initiated customer notification and offered identity protection services.
## Incident Details
- **Discovery Date:** January 27, 2025
- **Incident Date:** Began exploitation on October 12, 2024 (Exfiltration period: October 12, 2024, to October 24, 2024)
- **Affected Organization:** Western Alliance Bank
- **Sector:** Financial Services (Banking)
- **Geography:** Phoenix, Arizona, USA (Breach notifications filed in Maine, California, etc.)
## Timeline of Events
### Initial Access
- **Date/Time:** October 12, 2024 (Unauthorized actor began exploiting the vulnerability)
- **Vector:** Exploitation of an unknown vulnerability in a third-party vendor’s secure file transfer software (suspected Cleo tool).
- **Details:** The vulnerability allowed the unauthorized actor to gain access to a limited portion of Western Alliance’s systems.
### Lateral Movement
- *Not explicitly detailed in the report, but access was gained via the compromised third-party application.*
### Data Exfiltration/Impact
- **Date/Time:** October 12, 2024, to October 24, 2024
- **Details:** Attackers acquired copies of files from the affected systems. Information stolen included names, Social Security numbers, dates of birth, financial account numbers, driver’s license numbers, tax identification numbers, and passports for 21,899 impacted individuals.
### Detection & Response
- **Discovery Date:** January 27, 2025 (When the bank learned hackers had accessed data)
- **Response Actions:** The bank launched an investigation, confirmed data acquisition, and began filing breach notification documents with state regulators (e.g., Maine, California).
## Attack Methodology
- **Initial Access:** Exploitation of a zero-day or unknown vulnerability in a widely used file-sharing/transfer tool (likely Cleo).
- **Persistence:** *Not specified.*
- **Privilege Escalation:** *Not specified.*
- **Defense Evasion:** *Not specified (likely leveraging legitimate vendor software access).*
- **Credential Access:** *Not specified, but the goal was data collection.*
- **Discovery:** *Inferred, reconnaissance within the accessed portion of the systems.*
- **Lateral Movement:** *Inferred, movement within the limited systems accessible via the file transfer tool.*
- **Collection:** Gathering specific types of sensitive PII from accessible files.
- **Exfiltration:** Obtaining copies of the collected sensitive files.
- **Impact:** Confidentiality breach of PII records.
## Impact Assessment
- **Financial:** Not specified, but the bank reported a net income of $787.7 million in 2024.
- **Data Breach:** PII for 21,899 individuals, including SSNs, financial account numbers, driver’s license numbers, and passport information.
- **Operational:** The bank had to conduct an internal investigation and engage in regulatory compliance/notification processes. Thomson Reuters removed the affected application from their environment.
- **Reputational:** Public disclosure required through regulatory filings, attributing the breach to a supply chain incident via a third-party tool (consistent with prior Clop campaigns targeting MOVEit, GoAnywhere, etc.).
## Indicators of Compromise
- **Network indicators:** *None specified (URLs/IPs defanged).*
- **File indicators:** *None specified.*
- **Behavioral indicators:** Exploitation of a vulnerability within Cleo file transfer software leading to unauthorized file download between Oct 12 and Oct 24, 2024.
## Response Actions
- **Containment measures:** Removal of the affected third-party application (As seen in actions by organizations like Thomson Reuters).
- **Eradication steps:** *Not detailed, but likely included patching the vulnerability or replacing the software.*
- **Recovery actions:** Notifying affected individuals (21,899 people) and offering one year of identity protection services.
## Lessons Learned
- Reliance on third-party file transfer software introduces significant supply chain risk, as demonstrated by historical attacks targeting similar tools (MOVEit, GoAnywhere).
- The timeline indicated a significant delay between data exfiltration (October 2024) and official discovery/notification (January 2025).
## Recommendations
- Conduct a thorough audit of all third-party vendors handling sensitive data, specifically focusing on file transfer solutions.
- Enhance monitoring and detection capabilities around access and outbound data transfers originating from vendor-managed applications or appliances.
- Implement stringent access controls and segmentation for all shared/transfer platforms.