What Credit Unions Can Learn from Recent FI Breaches

By Roy Urrico

A breach at the $81 billion Western Alliance Bank in Phoenix should prompt financial institutions – including credit unions – and independent mortgage banks (IMBs) to reevaluate their cybersecurity strategies, ensuring they have robust defenses in place to protect member information and maintain trust.

That is the candid advice of Brad Blumberg, co-founder of Philadelphia-based Aster Key, an app that empowers consumers to anonymize, organize, and encrypt financial data on mobile phones.

In March 2025 Western Alliance Bank started notifying nearly 22,000 customers after the breach containing their personal information. The Arizona bank revealed in a February U.S. Securities and Exchange Commission filing that the attackers exploited a zero-day vulnerability in a third-party vendor's secure file transfer software (disclosed by the vendor on October 27, 2024) to hack a limited number of Western Alliance systems and exfiltrate files stored on the compromised devices.

An analysis of the stolen files concluded on February 21, 2025, and found they contained customer personal information, including names, Social Security numbers, birthdates, and passport information, as well as financial account, driver's license, and tax identification numbers.

“Despite Western Alliance Bank's comprehensive information security program, which adheres to industry standards and frameworks, this incident highlights that even organizations with robust defenses are vulnerable to cyber threats,” Blumberg told Finopotamus. He also noted the exploitation of third-party software vulnerabilities, as seen in this incident, emphasizes the necessity for financial institutions to establish third-party risk management protocols. That can help identify and address potential security gaps, ripe for exploitation.

Relevance to Credit Unions and FIs

“This breach underscores the vulnerabilities that financial institutions face, especially when third-party vendors are involved,” said Blumberg. “Such incidents highlight the risks associated with third-party service providers, a concern that is equally relevant for IMBs and credit unions.”

Credit unions are susceptible to similar breaches, claimed Blumberg. “Credit unions, like other financial institutions, often rely on third-party vendors for various services,” he said. Blumberg pointed out if not adequately secured, vendors' systems could introduce vulnerabilities. “For instance, the $1.88 billion North Augusta, S.C.-based SRP Federal Credit Union experienced a cyberattack affecting over 240,000 individuals.”

Based on subsequent forensic examination, SRP FCU, with 19 locations in South Carolina and Georgia, revealed that cybercriminals penetrated its network and gained access to its data files between September 5, 2024 through Nov. 4, 2024. The investigation concluded on November 22. Members received notification about the breach Dec. 12, 2024.

SRP FCU told regulators leaked information included names, Social Security numbers, driver’s license numbers, birthdates and financial information such as account numbers and credit or debit card numbers.

There are regulatory and legal Implications too. “Data breaches can lead to regulatory scrutiny and legal challenges. Credit unions may face lawsuits following data breaches, adding to the financial and reputational damage,” said Blumberg.

Protective Measures Against Third-Party Related Attacks

Blumberg suggested protective actions financial institutions, including credit unions, can take to mitigate risks.

• Comprehensive Vendor Risk Management. Financial institutions should implement robust third-party risk management programs. This includes conducting thorough due diligence before onboarding vendors, continuously monitoring their security posture, and ensuring they adhere to stringent cybersecurity standards.

• Regular Security Assessments. Conduct regular security assessments and audits of third-party vendors can help identify and mitigate potential vulnerabilities.

• Incident Response Planning. Develop and regularly update incident response plans ensures preparedness to address and contain breaches promptly, minimizing potential damage.

Additional Lessons for FIs

Blumberg told Finoptamus there are some additional lessons gained from the Western Alliance Bank breach.

• Prompt Detection and Disclosure. “The WAB breach went undetected for over three months, with disclosure occurring approximately 46 days after discovery. This delay highlights the need for effective monitoring systems to detect breaches promptly and transparent communication strategies to inform affected parties swiftly.”

• Investment in Cybersecurity Infrastructure. “Allocating resources to enhance internal cybersecurity infrastructure can reduce reliance on third-party solutions and mitigate associated risks.”

• Employee Training and Awareness. “Regular training programs can equip employees with the knowledge to recognize and respond to potential security threats, fostering a culture of security awareness.”

“In summary, the Western Alliance Bank breach serves as a critical reminder for all financial institutions, including credit unions and IMBs, of the pervasive risks associated with third-party vendors. Implementing robust risk management strategies, enhancing internal security measures, and fostering a culture of vigilance are essential steps in safeguarding sensitive information and maintaining customer trust,” Blumberg said.

He added “One reason I started Aster Key – I do not like using bank systems to upload docs. Consumers are asked to use systems from multiple banks and vendors, and it is a learning curve. I would rather have my docs at Aster Key and send from there, same every time.”