Published: 6/30/2025
Last Updated: 6/30/2025
A third-party vendor’s secure file transfer software used by Western Alliance Bank (“Western Alliance”) and numerous other organizations had an unknown vulnerability. In October 2024, an unauthorized actor began exploiting this unknown vulnerability in the third-party software that allowed the unauthorized actor to gain access to a limited portion of Western Alliance’s systems and to obtain copies of files from those systems. Western Alliance learned that an unauthorized actor had potentially accessed some of Western Alliance’s data on January 27, 2025. The investigation determined that the unauthorized actor had gained access to Western Alliance server and acquired certain files from the systems from October 12, 2024, to October 24, 2024. Western Alliance has notified law enforcement of this incident. Western Alliance conducted a comprehensive review of the relevant files and notified individuals as their information was identified during that review. The type of information varies by individual but may include one or more of the following: name, date of birth, Social Security number, tax identification number, driver's license number/government identification number, passport number, financial account number, health insurance information, and/or credit/debit card number with and without expiration date and security code.
Western Alliance has sent letters to involved individuals for whom valid mailing addresses are available, including an offer of complimentary identity theft protection services for those whose Social Security numbers, tax identification numbers, driver's license number/government identification numbers, and/or passport numbers were involved. To date, Western Alliance has no evidence that personal information has been misused; however, as a precautionary measure, Western Alliance recommends individuals remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing account statements and monitoring credit reports. If individuals detect suspicious activity, they should notify the entity with which the account is maintained and promptly report any fraudulent activity to proper law enforcement authorities, including police and state attorney general. Additional information regarding identity protection can be obtained at www.ftc.gov/idtheft or by calling the Federal Trade Commission at 1-877-ID-THEFT (1-877-438-4338). Individuals may also contact the FTC at: Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.
Contact information for the three national credit reporting agencies is as follows:
Equifax
1-866-349-5191
www.equifax.com
P.O. Box 740241
Atlanta, GA 30374
Experian
1-888-397-3742
www.experian.com
P.O. Box 2002
Allen, TX 75013
TransUnion
1-800-888-4213
www.transunion.com
P.O. Box 1000
Individuals seeking additional information regarding the incident may call a confidential, toll-free inquiry line at 855-659-0036 from 9 a.m. – 9 p.m. Eastern Time, Monday through Friday, excluding major U.S. holidays.