Arizona-based Western Alliance Bank is notifying nearly 22,000 customers their personal information was stolen in October after a third-party vendor’s secure file transfer software was breached.

Western Alliance is a wholly owned subsidiary of Western Alliance Bancorporation, a leading U.S. banking company with over $80 billion in assets.

The bank first revealed in a February SEC filing that the attackers exploited a zero-day vulnerability in the third-party software (disclosed by the vendor on October 27, 2024) to hack a limited number of Western Alliance systems and exfiltrate files stored on the compromised devices.

Western Alliance found that customer data was exfiltrated from its network only after discovering that the attackers leaked some files stolen from its systems.

In breach notification letters sent to 21,899 affected customers and filed with the Office of Maine’s Attorney General, the company said it has since “determined that the unauthorized actor acquired certain files from the systems from October 12, 2024, to October 24, 2024.”

An analysis of the stolen files concluded on February 21, 2025, and found they contained customer personal information, including your name and Social Security number, as well as their dates of birth, financial account numbers, driver’s license numbers, tax identification numbers, and/or passport information if it was provided to Western Alliance.

“We have no evidence to believe that your personal information has been misused for the purpose of committing fraud or identity theft,” Western Alliance added, saying it’s also offering those affected one year of free membership for Experian IdentityWorks Credit 3B identity protection services.

“While we have no evidence that your personal information has been misused as a result of this incident, we encourage you to take advantage of the complimentary credit monitoring included in this letter.”

A Western Alliance spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Breach claimed by Clop ransomware

While the secure file transfer software compromised in the breach was not named in the breach notification letters or the February SEC filing, the bank is one of 58 companies the Clop ransomware gang added to its leak site in January.

The cybercrime group was behind a series of attacks exploiting a pre-auth zero-day vulnerability (CVE-2024-50623) in Cleo LexiCom, VLTransfer, and Harmony software patched in October, when the company warned customers to upgrade immediately.

In December, Cleo released security updates for a second zero-day (tracked as CVE-2024-55956) that the Clop threat actors exploited to deploy a JAVA backdoor dubbed “Malichus” to steal data, execute commands, and gain further access to the victims’ networks.

“This vulnerability has been leveraged to install malicious backdoor code on certain Cleo Harmony, VLTrader, and LexiCom instances in the form of a malicious Freemarker template containing server-side JavaScript,” Cleo explained in a private advisory.

While it’s currently unknown how many companies were breached in these attacks, Cleo claims its software is used by over 4,000 organizations worldwide.

Clop was previously linked to several other data theft campaigns in recent years, targeting zero-day flaws in MOVEit Transfer, GoAnywhere MFT, and Accellion FTA.