Western Alliance Bank notifies 22K people of data breach that compromised SSNs

Western Alliance Bank over the weekend confirmed it notified 21,899 people about an October 2024 data breach that compromised the following info:

• Names
• Social Security numbers
• Dates of birth
• Financial account numbers
• Driver’s license numbers
• Tax ID numbers
• Passport

Ransomware gang Clop claimed responsibility for the breach. This is one of several recent breaches claimed by Clop related to its exploitation of vulnerabilities in the Cleo file transfer software used by many organizations.

Western Alliance Bank has not verified Clop’s claim. We do not yet know if the bank paid a ransom or how much Clop demanded. Comparitech contacted Western Alliance Bank for comment and will update this article if it replies.

“A third-party vendor’s secure file transfer software used by Western Alliance and numerous other organizations had an unknown vulnerability. In October 2024, an unauthorized actor began exploiting this unknown vulnerability in the third-party software that allowed the unauthorized actor to gain access to a limited portion of Western Alliance’s systems and to obtain copies of files from those systems,” says the bank’s notice to victims. “Our investigation determined that the unauthorized actor acquired certain files from the systems from October 12, 2024, to October 24, 2024.”

Western Alliance Bank is offering eligible victims one year of free credit monitoring through Experian.

Who is Clop?

Clop, or Cl0p, is a high-profile ransomware group that first surfaced in 2019. Its latest wave of claims mostly involve exploiting vulnerabilities in the Cleo file transfer software, which is used by many organizations. Like some other ransomware groups, Clop doesn’t always encrypt files. Instead, it demands ransoms solely in exchange for not selling or publishing stolen data.

In 2024, Clop claimed nine confirmed ransomware attacks, plus 74 unconfirmed attacks that haven’t been acknowledged by the targeted organizations. 55 of the 74 unconfirmed claims are related to the same Cleo vulnerability used to breach Western Alliance Bank.

In 2025, Cl0p has claimed responsibility for 332 unconfirmed attacks, the vast majority of which exploited Cleo.

Ransomware attacks on US finance

Ransomware attacks on US finance can endanger clients and delay day-to-day operations until systems are restored. Banks and other financial institutions must either pay a ransom or face extended downtime, data loss, and putting customers at increased risk of fraud.

In 2024, Comparitech researchers logged 61 confirmed ransomware attacks on the US finance sector, compromising more than 34.9 million records. The average ransom demand is $1.05 million.

Other recently confirmed ransomware attacks on US finance include those on:

• Ikav Energy notified 5,832 people of a December 2024 data breach claimed by DragonForce
• Trinity Petroleum Management notified 46,659 people about an October 2024 data breach claimed by BianLian
• Carruth Compliance Consulting notified 215,383 people of a December 2024 data breach claimed by Skira

About Western Alliance Bank

Based in Phoenix, Western Alliance Bank operates branches nationwide with the majority in Arizona and Nevada. It manages $70 billion in assets and employs more than 3,000 people, according to external sources.