2023-06-27 COLUMBIA BANKING SYSTEM, INC. Cybersecurity Incident

Page last updated on April 11, 2024

COLUMBIA BANKING SYSTEM, INC. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2023-06-27 16:49:07 EDT.

Incident Details

Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date: 2023-06-21
Disclosure Date: 2023-06-27
Contained Date:
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)


8-K filed on 2023-06-27

COLUMBIA BANKING SYSTEM, INC. filed an 8-K at 2023-06-27 16:49:07 EDT
Accession Number: 0000887343-23-000274

Item 8.01 Other Events.

On June 21, 2023, Umpqua Bank, a wholly owned subsidiary of Columbia Banking System, Inc. (the “Company”), was informed by one of its technology service providers (the “Vendor”) that a widely reported security incident involving MOVEit, a filesharing software used globally by government agencies, enterprise corporations and financial institutions, resulted in the unauthorized acquisition by a third party of the names and social security numbers or tax identification numbers of certain of Umpqua Bank’s consumer and small business customers (the “Vendor Incident”).

Other than the information described above, no Umpqua Bank account information was compromised as a result of the Vendor Incident, and no information from Umpqua Bank’s commercial customers was involved in the Vendor Incident.

On June 22, 2023, Umpqua Bank sent an email to potentially affected consumer and small business customers informing them of the Vendor Incident. Umpqua Bank is working with the Vendor to provide formal notification to all such consumer and small business customers with additional information and resources. In the interim, consumer and small business customers who have questions are encouraged to reach out to their local Umpqua Bank branch or to call (866) 485-7782.

Separately and as communicated earlier this month, Umpqua Bank experienced an on-premise MOVEit security incident. The on-premise instance was removed from the network immediately and decommissioned, and the unauthorized actor did not obtain any customer information or Umpqua Bank data. An independent forensics firm was engaged and confirmed the Company’s assessment of this on-premise MOVEit incident, which did not cause any interruption of business operations.

While the Company is continuing to measure the impact, the Company does not currently believe the Vendor Incident or on-premise incident will have a material adverse effect on its business, operations, or financial results.

Company Information

SIC DescriptionState Commercial Banks
TickerCOLB - Nasdaq
CategoryLarge accelerated filer
Fiscal Year EndDecember 30