Update: This story was edited to include a statement from Western Alliance and correct the number of days the bank took to report the breach.
Western Alliance Bank recently disclosed it suffered a data breach that went unnoticed for three months and affected nearly 22,000 people.
The breach occurred from Oct. 12 to Oct. 24 last year, and the bank discovered it on Jan. 27, according to a letter the bank sent to victims. The Maine attorney general relayed
Phoenix-based Western Alliance told victims that the information involved in the data breach included their name and Social Security number. Stolen files also included dates of birth, financial account numbers, driver's licenses, tax identification numbers and passports.
Western Alliance said the threat actor that perpetrated the breach exploited a vulnerability in a third-party vendor's secure file transfer software, used by the bank and "numerous other organizations," according to the letter from the bank.
Western Alliance told American Banker that it was investigating the nature and extent of the unauthorized access and had started to notify potentially involved customers.
"There has been no material impact to business operations or the company's financials, and we are reviewing existing policies and implementing additional safeguards to further secure the information in our systems," the bank said in a statement.
Exploits in file transfer software are relatively rare but
A threat actor exploited the vulnerability in Cleo software to steal data starting in October,
If the vulnerability the attackers used against Western Alliance was in a Cleo product or service, it would make the bank one of the earliest targets by threat actors exploiting the vulnerability.
The bank said an unauthorized party accessed the breached files from Oct. 12 to Oct. 24. Arctic Wolf said malicious activity as part of the campaign against Cleo started as early as Oct. 19, with a sharp increase in December.
Also, if the Western Alliance breach was the result of the Cleo vulnerability, it would mean it took the bank roughly a month and a half to discover the breach, starting when Huntress disclosed the vulnerability, or three months starting from the time when the threat actors exploited the vulnerability.
If the vulnerability that got Western Alliance was in a different file transfer product, one possible explanation is that attackers took a long time — at least a year — to use a known vulnerability against the bank, and that the bank left the known vulnerability unpatched for that same period of time.
The most probable candidate in this case would be MoveIt, a product from Progress Software; that company disclosed a vulnerability in its product
While not all states set a specific timeline for how quickly a company must disclose a data breach, those that do have timelines typically provide 30 to 45 days, starting when the company discovers the breach. For example, Maine provides 30 days, and Arizona provides 45. Western Alliance took 46 days.
Exceptions are typically made for cases where law enforcement has requested the company not report the information publicly, as this can reduce the risk of an attacker covering their tracks. Indeed, Maine and Airzona provide such exceptions, and Western Alliance told customers that the bank had notified law enforcement of the incident.
