Western Alliance Bank says nearly 22,000 impacted by file transfer software breach

Phoenix-based Western Alliance Bank said the information of more than 20,000 people was stolen through a vulnerability in a popular file sharing tool last year. 

The bank filed breach notification documents in Maine and California last week confirming that it was affected by a vulnerability in a “third-party vendor’s secure file transfer software used by Western Alliance and numerous other organizations.” 

The notifications don’t specify the software and did not respond to requests for comment. The bank was one of hundreds of companies and organizations named by the Clop ransomware gang in October after the group claimed it was behind the exploitation of a vulnerability impacting the Cleo file sharing tool. 

“In October 2024, an unauthorized actor began exploiting this unknown vulnerability in the third-party software that allowed the unauthorized actor to gain access to a limited portion of Western Alliance’s systems and to obtain copies of files from those systems,” Western Alliance says in the notifications. 

The bank says it learned that the hackers had accessed data on January 27 and an investigation discovered that they “acquired certain files from the systems from October 12, 2024, to October 24, 2024.”

The information stolen includes names, Social Security numbers and in some cases, dates of birth, financial account numbers, driver’s license numbers, tax identification numbers and passports. 

Western Alliance Bank told regulators in Maine that 21,899 people were impacted and each will get one year of identity protection services. The bank reported a net income in 2024 of $787.7 million and says it has more than $80 billion in assets.

Several companies named by Clop have told Recorded Future News that they are in the process of investigating whether they also were affected.

IT giant Hewlett Packard Enterprise said it is investigating the claims but has not confirmed a compromise, pledging to notify customers if they are affected. 

A spokesperson for Thomson Reuters, whose Legal Tracker subsidiary was also named by Clop, confirmed that a small subset of customers who utilize the company’s Professional Services hosted integration service also used Cleo. 

“We have removed Cleo’s application from our environment. We have been in direct contact with the limited number of affected customers,” the spokesperson told Recorded Future News. 

Thomson Reuters did not say if any Legal Tracker data had been compromised.

The Clop gang — which has conducted global data theft campaigns targeting file sharing tools MOVEit, GoAnywhere and Accellion over the last five years — initially named 66 companies in the fall of 2024 but has slowly been releasing the names of dozens more organizations allegedly impacted by the Cleo breaches throughout 2025.