Western Alliance Bank reported a data breach involving a third-party vendor’s file transfer software, which exposed some customer personal information. The independent mortgage broker (IMB) said although personal information was compromised, there is currently no evidence of fraud or identity theft resulting from the incident.
According to a notice distributed by the company, an unauthorized actor exploited a previously undiscovered vulnerability in the software to gain access to a limited portion of Western Alliance’s systems. The actor then extracted copies of certain files.
“The breach at Western Alliance Bank, a lending institution with more than $80 billion in assets, should prompt IMBs, which often have far fewer resources, to reevaluate their cybersecurity strategies, ensuring they have robust defenses in place to protect member information and maintain trust,” the notice stated. “It’s a stark reminder to mortgage lenders how imperative it is to secure sensitive customer data.”
The incident occurred in October 2024 but the bank did not become aware of it until Jan. 27 of this year. By Feb. 21, the company determined files compromised in the breach contained personal information belonging to about 22,000 customers, including customer names and Social Security numbers. In some cases, the stolen data may also have included dates of birth, financial account numbers, driver’s license numbers, tax identification numbers, and passport details.
In addition to notifying customers, as required by law, Western Alliance has reported the incident to law enforcement and said it plans to implement enhanced security measures to prevent similar incidents in the future.
As a precaution, the bank is offering affected individuals a free one-year membership to Experian IdentityWorks Credit 3B – a credit monitoring and identity protection service. The bank encouraged customers to enroll in the complimentary service and review additional guidance on identity theft prevention included in its notification.
Under the Federal Trade Commission’s (FTC) Safeguards Rule, financial institutions must notify the FTC no later than 30 days after discovery of a security breach involving information belonging to at least 500 consumers. When companies do not comply with this requirement, they can be subject to a class action lawsuit.