Heritage Bank
A 99-year-old Washington community bank had Social Security numbers and financial data for nearly 183,000 people stolen from an internal file share server.
What happened?
On March 1, 2026, an unauthorized party accessed Heritage Bank's internal file share server and copied files containing customer and employee data. The bank detected the breach the next day—fast detection, but the data was already gone.
Heritage Bank, a community bank founded in 1927 with branches across Washington state, filed disclosures with attorneys general in California, Massachusetts, Nebraska, Oregon, and Texas. The final count: 182,793 people affected, with 168,505 in Washington alone.
What data was actually inside?
Names combined with Social Security numbers. Individual taxpayer identification numbers. Bank account numbers. Dates of birth. Addresses. Government-issued ID numbers. Financial information.
This is the complete identity theft package: everything needed to open new accounts, file fraudulent tax returns, or impersonate someone to their bank.
Who gets hurt and how?
Nearly 183,000 people—customers and employees—who trusted a community bank to protect their most sensitive financial information. SSNs paired with dates of birth and addresses enable synthetic identity fraud, tax refund theft, and new account fraud.
Credit monitoring helps detect some fraud. It doesn't prevent it. And it does nothing for tax identity theft, where the damage is done before anyone knows to look.
What did they think they were doing right?
Heritage Bank says "customer accounts, customer systems and operations were not impacted." The core banking systems stayed secure. The transaction processing kept running. The customer-facing applications were untouched.
But the file share server—the one employees use for internal documents—had 183,000 people's identity data on it. Production systems were protected. The file share wasn't.
What did they not know about their own data?
They didn't know—or didn't act on—how much sensitive data had migrated to a general-purpose file share. SSNs on a file share server. Account numbers on a file share server. Government IDs on a file share server.
File shares become data graveyards. Employees save copies for convenience. Old reports get archived. Spreadsheets accumulate. Nobody audits what's actually there—until someone else does.
If your business runs on databases, you probably have similar records—customer data, credentials, financial information. Do you know what's actually in yours?
What does attribution look like the morning after?
Seven weeks from breach to notification. Seven weeks to analyze the stolen files, identify each individual, determine what data was exposed for each person, and prepare notices. Multi-state AG filings. Class action lawyers already advertising.
The attacker hasn't been publicly identified. The bank likely doesn't know either. What matters now is the 182,793 notifications, the credit monitoring costs, and the legal exposure that's just beginning.
What would have changed the outcome?
Knowing that 183,000 SSNs had accumulated on an employee file share server.
The core banking systems were protected. The file share wasn't. A data inventory would have revealed that sensitive customer data had migrated outside protected systems—into a general-purpose file share with different access controls and different risk profiles. You can't protect data you don't know exists where it shouldn't.
Heritage Bank found out the hard way.
Your team could spend the next 6 months rebuilding systems, notifying customers, and answering legal questions. Or you could spend 24 hours finding out what's actually at risk.