Cyber Incident Victim: Umpqua Bank

On June 19, 2023, Umpqua Bank publicly confirmed it was a victim of a significant cyber incident. The breach was not a direct attack on the bank's own IT infrastructure but was instead the result of a vulnerability within a third-party software product, the MOVEit managed file transfer application developed by Progress Software. The bank stated it was one of numerous government agencies, large corporations, and other enterprises globally affected by this widespread software vulnerability. The incident involved a security flaw in the MOVEit application that provided threat actors with a mechanism to access confidential information that had been entrusted to the software for transfer purposes. The bank's core internal systems were not compromised by this event, as the vulnerability was isolated to the MOVEit program itself and only affected data that had been input into that specific application.

Upon learning of the incident, Umpqua Bank initiated its response protocol. The immediate action taken was to secure its system, which involved addressing the vulnerability within the MOVEit software to prevent any further unauthorized access. Following the initial containment steps, the bank engaged outside cybersecurity specialists to assist with a comprehensive forensic investigation. The primary objectives of this investigation were to determine the full scope and impact of the security breach. Analysts worked to identify precisely which individuals were affected and to categorize the specific types of data that were exposed or exfiltrated by the attackers as a result of the MOVEit exploit.

As of the confirmation date, the investigation remained ongoing. Umpqua Bank had not yet finalized the specifics regarding the nature of the compromised data or completed the process of identifying all impacted individuals. Consequently, formal data breach notification letters had not been dispatched to any affected parties at that time. The bank committed to sending these notifications to all individuals whose information was compromised once the investigation reached a point where it could confirm who was impacted. The breach notification process is a standard regulatory and legal requirement following a data security incident.

Umpqua Bank is a substantial financial institution headquartered in Lake Oswego, Oregon. Founded in 1953, the bank had grown to hold more than $50 billion in assets and operated a network of approximately 300 branch locations across several western states, including Washington, Oregon, Idaho, California, Nevada, Arizona, Utah, and Colorado. The institution had recently undergone a significant corporate change, having merged with Columbia Bank in February 2023. Following this merger, Umpqua Bank became operated by its holding company, Columbia Banking System, Inc. The organization employed over 3,500 people and generated annual revenue of approximately $1.3 billion, indicating the substantial scale of the entity impacted by this data security event.

The incident was part of a much broader, global cyberattack campaign targeting users of the MOVEit file transfer software. This widespread exploitation affected a diverse range of organizations worldwide, making the Umpqua Bank breach a single component of a larger cybersecurity event. The bank’s public statements emphasized that its situation was not unique but was shared by many other entities that utilized the same vulnerable software product. The response actions, including engaging external cybersecurity experts and conducting a thorough investigation, were consistent with standard practices for addressing a third-party software supply chain attack of this nature. The focus remained on determining the scope of the data exposure and fulfilling obligations to notify those affected.