Cyber Incident Victim: Umpqua Bank

On or around May 27, 2023, a security incident began impacting Umpqua Bank, a wholly owned subsidiary of Columbia Banking System, Inc. The incident was not initially discovered within the bank's own systems but was instead part of a wider global cyberattack. The attack exploited a previously unknown vulnerability in MOVEit, a file-sharing software used globally by government agencies, enterprise corporations, and financial institutions for transferring files. A cybercriminal group known as CLOP was identified by the Cybersecurity and Infrastructure Security Agency and the FBI as exploiting this flaw to steal files and demand payment to prevent their publication online. This group listed Umpqua Bank and its parent company, Columbia Bank, among numerous other victim organizations on its data-leak website.

Umpqua Bank first became aware of its potential involvement on June 21, 2023, when it was formally notified by one of its technology service providers. This Vendor informed Umpqua that the widely reported security incident involving the MOVEit software had resulted in the unauthorized acquisition of data by a third party. The data acquired from the Vendor's systems consisted of the names and Social Security numbers or tax identification numbers of certain Umpqua Bank consumer and small business customers. The breach period was determined to have occurred from May 27, 2023, to May 31, 2023. The total number of persons affected by this Vendor Incident was 429,252, which included 84 residents of the state of Maine. No Umpqua Bank account information, such as account numbers or passwords, was compromised as a result of this event, and no information pertaining to the bank's commercial customers was involved.

Separately from the Vendor Incident, Umpqua Bank also experienced its own on-premise MOVEit security incident. Upon learning of the MOVEit vulnerability, the bank took immediate action to safeguard its systems. The on-premise instance of the MOVEit software was immediately removed from the network and subsequently decommissioned. An investigation into this on-premise incident, which was communicated to the public earlier in June, concluded that the unauthorized actor did not obtain any customer information or Umpqua Bank data from the bank's own systems. An independent forensics firm was engaged to review the event and confirmed the company's assessment that no data was exfiltrated from its internal instance. This on-premise incident did not cause any interruption to business operations.

In response to the Vendor Incident, Umpqua Bank began customer notification procedures swiftly. On June 22, 2023, the day after being informed by its Vendor, Umpqua Bank sent an email to potentially affected consumer and small business customers to inform them of the event. The bank worked with the Vendor to arrange for formal written notification to all affected customers, which was scheduled for August 11, 2023. A dedicated telephone line, (866) 485-7782, was established, and customers were encouraged to contact their local bank branches with questions. As part of its response, Umpqua Bank, through its outside counsel, provided the required data breach notifications to state authorities, including the Office of the Maine Attorney General.

To mitigate potential harm to affected individuals, Umpqua Bank offered identity theft protection services. The services provided were the OnAlert Essential Bundle from ChexSystems, which included identity monitoring and theft protection. These services were offered for a duration of 24 months at no cost to the impacted consumers. The breach was categorized by the Maine Attorney General's office as an external system breach, or hacking. Columbia Banking System, Inc., the parent company, stated in a filing with the Securities and Exchange Commission that it was continuing to measure the impact of the events but did not currently believe the Vendor Incident or the on-premise incident would have a material adverse effect on its business, operations, or financial results. The filing also acknowledged potential future risks, including legal, reputational, and financial repercussions, potential regulatory inquiries, litigation, and other unforeseen costs that could arise from the incident.