Western Alliance Bank, a subsidiary of Western Alliance Bancorporation, has informed nearly 22,000 customers of a data breach. 

The breach occurred due to a zero-day vulnerability that malicious actors were able to exploit. The flaw was found in a third-party software, and it was used to hack a select few Western Alliance systems to exfiltrate files. The data loss was discovered only after malicious actors leaked some of the stolen files.  

According to the data breach notice filed with the Office of Maine's Attorney General, a malicious actor gained access to system files in October 2024. After an investigation of the stolen files, it was determined that the breached data included: 

• Names
• Dates of birth 
• Driver's license numbers,
• Financial account numbers
• Tax identification numbers
• Passport information
• Social Security numbers 

Below, security leaders share their insights on the data breach. 

Security leaders weigh in 

Mr. Piyush Pandey, CEO at Pathlock:

The breach at Western Alliance Bank underscores two key aspects. First, it highlights the growing challenge of mitigating vulnerabilities in third-party applications amidst the complexity of modern IT ecosystems in the financial sector. Continuous vulnerability scanning and robust patch management should be implemented to address this issue. 

Second, it emphasizes the need for real-time sensitive data access monitoring. Anomalous access attempts should be detected and terminated at an early stage to prevent potential exfiltration and data leaks. 

These are critical aspects of security in the financial sector, especially given its highly regulated nature concerning data protection and privacy and potential negative consequences for companies in terms of compliance fines.

Mr. Akhil Mittal, Senior Manager at Black Duck:

Organizations continue to trust third-party software without enough oversight and every few months, the same scenario plays out — a vendor gets breached, sensitive data is stolen and customers get offered a year of credit monitoring that does little to fix the real issue. This isn’t just about Western Alliance — it’s a systemic problem with third-party risk.

Financial institutions spend millions on cybersecurity, yet many still lack real-time visibility into the security of their vendors. ‘Trust but verify’ isn’t enough anymore. If a third-party tool handles sensitive data, it needs continuous monitoring, not just a compliance checklist. Customers aren’t shocked when financial institutions get hacked; they expect it. It’s essential for financial institutions to detect and notify their customers of any data loss as soon as possible to prevent further loss and ensure the right next steps are taken quickly.