About 22k WAB customers impacted by a zero-day attack on a third-party vendor
The bank had first disclosed the incident in a February SEC filing, revealing that a limited number of WAB systems were hacked using a zero-day vulnerability affecting one of the bank’s third-party vendor’s secure file transfer software.
“The Company was made aware of a zero-day vulnerability at the vendor on October 27, 2024 (the “Vendor Incident”), and immediately activated its incident response process to investigate and deployed all patches as recommended by the software developer. The Company and its information security consultants found no evidence of any unlawful infiltration or exfiltration of any Company or customer data until January 27, 2025, when the Company’s surveillance process identified files related to the Vendor Incident published by the threat actor. The files included data flowing through the file transfer software between October 12-24, 2024, prior to notification of the Vendor Incident,” the company wrote in its SEC filing.
PII, financial details likely compromised
While the bank had said in the SEC filing, citing the preliminary investigation, that it found no unlawful “infiltration or exfiltration of any company or customer data” until January 27, 2025 (also the day the incident was discovered), it sent out letters to customers on March 14, 2025, revealing the new findings.
