Nearly 22,000 Customers of an $80 Billion Bank Had Their Data Exposed
In February 2025, Western Alliance Bank, a financial institution headquartered in Arizona with assets exceeding $80 billion, publicly confirmed that data belonging to approximately 21,899 customers had been compromised in a security breach. The incident was linked to the exploitation of a vulnerability in a third-party file transfer tool called Cleo, used by numerous organizations around the world. Among the exposed information were Social Security numbers, financial data, and personal identification documents, as reported by the BleepingComputer and by SecurityWeek.
The bank notified the appropriate regulatory authorities and initiated the process of individually communicating with affected customers. This is a legally mandated protocol in many jurisdictions, and the mere act of complying with it already represents a significant operational, reputational, and legal cost for any organization.
The case draws attention not because of the isolated sophistication of the attack, but because of a strategic detail: the entry point was not necessarily the bank's internal environment, but a third-party tool integrated into its operations. This represents a risk vector that affects companies of all sizes, across all sectors. According to the IBM Cost of a Data Breach Report 2024, the average global cost of a data breach reached $4.88 million per incident, with breaches involving third parties being consistently more costly and time-consuming to contain.
The goal of this article is not to speculate about what occurred within Western Alliance Bank's internal systems, as those details are not public. The goal is to use this case as a starting point for a structured reflection: if a bank with dedicated security teams and billions in assets is subject to this type of exposure, what does that say about your organization's security posture?
Vectors That Attacks Like This Typically Exploit
Although the internal details of the Western Alliance Bank incident are not public, attacks that exploit third-party file transfer tools typically take advantage of unpatched vulnerabilities in vendor software. When an organization integrates a third-party solution into its environment, it inherits that vendor's risk profile. If the vendor is slow to issue a patch, or if the organization is slow to apply it, the exposure window remains open. In corporate environments with dozens of active integrations, it is common for critical patches to take weeks to be applied, especially when there is no formal, continuous vulnerability management process in place. An attacker who identifies this window can exploit it in an automated fashion, scanning thousands of targets simultaneously before any alert is generated.
Another vector frequently associated with this type of incident is the lack of proactive monitoring of data traffic between integrated systems. File transfer tools move large volumes of information between distinct environments. Without continuous visibility into who is accessing what, when, and where data is being sent, a data exfiltration can go undetected for days or weeks. The Verizon Data Breach Investigations Report 2024 (DBIR) points out that the average time between initial intrusion and detection is still measured in days in a large portion of global incidents. Every day without detection is another day of exposed data and accumulated damage.
A third relevant vector involves the absence of adequate segmentation between environments and systems. When a third-party tool has unrestricted access to sensitive data, a vulnerability within it is equivalent to a vulnerability at the core of the environment. Well-segmented networks limit the blast radius of any compromise: even if one component is breached, the attacker encounters barriers that prevent lateral movement and large-scale exfiltration. Network segmentation, combined with least-privilege principles for data access, is one of the most effective structural measures for containing the damage from incidents that begin at the periphery of the environment.
How to Protect Your Infrastructure with a Layered Approach
Effective protection against attacks that exploit third-party tools begins with a rigorous continuous patch and vulnerability management program. This means cataloging all software in use — including integrations and external vendor tools — actively monitoring security bulletins, and applying critical fixes within defined, auditable timeframes. Organizations that rely on manual or sporadic processes for this activity inevitably accumulate security technical debt. A managed IT approach allows this process to be automated, prioritized by criticality, and documented for regulatory compliance purposes.
Complementing patch management with proactive 24/7 monitoring with intelligent behavior-based alerts transforms the security posture from reactive to anticipatory. Rather than discovering a breach after the damage is done, teams with continuous visibility identify anomalous patterns — such as data transfers outside of normal business hours or access from unusual locations — and act before the incident fully materializes. EDR (Endpoint Detection and Response) technologies are a central part of this layer, providing detailed telemetry on the behavior of every device and system integrated into the environment.
The third structural layer is the combination of network segmentation with multi-factor authentication (MFA) applied to all sensitive access points, especially those carried out by third-party systems. MFA ensures that a compromised credential, on its own, is not sufficient to open a path to critical data. Segmentation, in turn, ensures that even authorized access is limited to the minimum scope necessary for that specific integration. Together, these measures drastically reduce the attack surface available to any malicious actor who manages to exploit a peripheral vulnerability.
Questions Every Decision-Maker Should Be Asking Right Now
1. Would my backups actually work in a disaster like this? How quickly could my operations be back online?
2. Does my team have the right tools to identify and block an attack like this immediately, before it causes the full extent of the damage? How am I investing in the preparedness of my technical team?
3. How long could my company survive without access to its systems and files?
Would my backups actually work in a disaster like this? How quickly could my operations be back online?
This question may seem simple, but most organizations cannot answer it with precision. Having backups configured is not the same as having functional backups. Backups that reside within the same compromised environment, or that are accessible through the same attacked network, can be encrypted or destroyed along with the primary data. The only way to guarantee true resilience is to maintain isolated, encrypted copies that are regularly tested in environments that are physically or logically separate from the production environment. This model is known as immutable backup with network isolation, and its effectiveness depends directly on the frequency of restoration tests.
The second component of this question is the RTO (Recovery Time Objective). Many companies only discover their actual RTO during an incident, and the surprise is usually unpleasant. A well-structured managed IT program defines RTO and RPO (Recovery Point Objective) based on real business needs, and conducts periodic simulations to validate that the numbers are achievable. Without this validation, the recovery plan exists only on paper.
Does my team have the right tools to identify and block an attack like this immediately, before it causes the full extent of the damage?
The honest answer for most mid-sized companies is: probably not — and that is not a criticism of the internal team; it is a matter of scale and specialization. EDR tools, event correlation monitoring platforms (SIEM), and documented incident response processes require continuous investment, constant updates, and dedicated professionals to operate effectively. An internal IT team focused on keeping operations running rarely has the residual capacity to monitor threats in real time and respond to alerts at 3 in the morning.
Investing in the preparedness of the technical team goes beyond tools: it involves continuous training in threat recognition, phishing simulations, escalation protocols, and a security culture. According to the Verizon DBIR 2024, 68% of data breaches involved the human element — whether through error, social engineering, or privilege abuse. Managed IT with a training and awareness component transforms the human factor from a risk vector into a layer of defense.
How long could my company survive without access to its systems and files?
This is the question that turns IT security into a business conversation. Every hour of downtime has a measurable cost: unprocessed orders, interrupted services, contracts at risk, damaged reputation. For regulated industries such as finance, healthcare, and retail, the disruption also creates regulatory exposure. A documented and tested incident response plan — with clearly defined roles, structured communication, and recovery runbooks — is what separates organizations that survive incidents from those that shut down because of them. According to FEMA (Federal Emergency Management Agency), 40% of small businesses never reopen after a disaster, and another 25% close within one year. Protection is not a cost. It is continuity.
If your company does not yet have an integrated layered protection strategy, consider scheduling a Strategic IT Assessment, at no commitment, to identify vulnerabilities before they become headlines.