Western Alliance Bank is notifying roughly 22,000 individuals that their personal information was stolen from a third-party secure file transfer software.
The incident, the bank says, occurred in October 2024, when a threat actor started exploiting an unknown vulnerability in the file transfer tool, gaining access to “a limited portion of Western Alliance’s systems” and stealing files from them.
In January, Western Alliance learned that data was compromised in the attack, and in February it determined that personal information was stolen, including names, Social Security numbers, dates of birth, driver’s license numbers, passport information, financial account numbers, and tax identification numbers.
The financial institution is providing the potentially impacted individuals with one year of identity protection services. Western Alliance notified the Maine Attorney General’s Office that 21,899 individuals were affected by the data breach.
In a February filing with the Securities and Exchange Commission, Western Alliance said it became aware of the data breach after a threat actor published allegedly stolen information online, and said that the incident would not have a material impact on its financial condition or results of operations.
The vulnerable application exploited in the attack, which the firm did not name, is a Cleo file transfer tool, Comparitech consumer privacy advocate Paul Bischoff told SecurityWeek in an emailed comment.
In late 2024, the Cl0p extortion group exploited two zero-day flaws in Cleo’s file transfer products to steal data from dozens of organizations. The bugs are tracked as CVE-2024-50623 and CVE-2024-55956.
Over the past several months, the group added to its Tor-based leak site hundreds of organizations, including Western Alliance, and most of these intrusion claims are linked to the exploitation of Cleo vulnerabilities, Bischoff says.
“In 2024, Clop claimed nine confirmed ransomware attacks, plus 74 unconfirmed attacks that haven’t been acknowledged by the targeted organizations. 55 of the 74 unconfirmed claims are related to the same Cleo vulnerability used to breach Western Alliance Bank. In 2025, Cl0p claimed responsibility for 332 unconfirmed attacks, the vast majority of which exploited Cleo,” Bischoff told SecurityWeek.
Related: Recent Fortinet Vulnerabilities Exploited in ‘SuperBlack’ Ransomware Attacks
Related: Medusa Ransomware Made 300 Critical Infrastructure Victims
Related: Record Number of Ransomware Attacks in December 2024
Related: Cleo Patches Exploited Flaw as Security Firms Detail Malware Pushed in Attacks