Cyber Incident Victim: Westamerica Bank

On or around May 27, 2023, a security incident occurred at a third-party vendor utilized by Westamerica Bank for processing services. The bank was formally notified of this potential compromise by the vendor on May 31, 2023. The incident did not occur on any internal Westamerica Bank system, and the bank confirmed it does not use the specific transfer software that was potentially compromised at the vendor. The available information indicated the event window for the potential compromise spanned from May 27 to May 31, 2023.

The incident involved the potential compromise of personal information belonging to Westamerica Bank customers. The specific data elements involved were not detailed in the bank's notification, though the letter's structure indicated the type of data compromised, referred to as `[Data]`, would be personalized for each recipient. At the time the notifications were dispatched, Westamerica Bank stated it had no indication that any customer information had been subject to actual misuse as a direct result of this third-party vendor incident.

Upon being notified by the vendor on May 31, Westamerica Bank immediately launched an internal review to determine the scope of the incident and identify which customers may have been affected. The bank had pre-existing data security safeguards in place with its vendors, which were leveraged to quickly identify and contain the improper access to sensitive information. The bank's review of its third-party relationships, including the vendor responsible for this incident, is an ongoing process. The dissemination of customer notification letters was not delayed as a result of any law enforcement investigation.

The primary consequence for affected customers was the potential exposure of their personal information, creating a risk of future fraud or identity theft. In response, Westamerica Bank undertook several actions to protect its customers and mitigate potential harm. The bank committed to closely monitoring the account activity of affected individuals for any signs of suspicious transactions. Furthermore, as an added security measure, the bank arranged for and offered complimentary credit monitoring and identity restoration services to those whose information was involved.

The bank provided a complimentary 12-month membership to Experian’s IdentityWorks product for all affected individuals. This service was designed to provide identity detection and resolution services in the event of identity theft. To activate the membership, customers were required to enroll online using a provided unique activation code by a deadline of October 31, 2023. For those unable to enroll online or who required assistance, a dedicated customer care phone number was provided, along with an engagement number required to prove eligibility for the identity restoration services.

In its communication, Westamerica Bank also outlined specific steps customers could take to protect themselves, though these were presented as recommendations from the bank rather than actions taken by the bank itself. These recommendations included frequently reviewing bank account statements for the next twelve to twenty-four months for any unauthorized activity and immediately contacting the bank at a provided toll-free number if fraud was suspected. The bank further recommended that customers consider placing a fraud alert on their credit files by contacting one of the three major credit bureaus: Experian, Equifax, or TransUnion. Placing a fraud alert instructs creditors to contact the consumer directly before opening any new accounts in their name, adding an extra layer of verification. The bank provided the specific phone numbers for each credit bureau's fraud victim assistance line to facilitate this process. The incident was attributed to a failure at a third-party processing vendor, and Westamerica Bank apologized for the incident and any inconvenience it caused to its customers.