Columbia Bank Confirms 2025 Data Breach Exposed Personal Data, Offers Free Credit Monitoring Until July 2026

TL;DR: Columbia Bank confirmed that a breach between October 2 and December 22, 2025 exposed personal information of its customers, and is offering free Experian IdentityWorks Credit 3B monitoring until July 2026. Affected individuals must enroll by July 31, 2026 to receive the service.

Context: Columbia Bank, a major regional bank headquartered in Tacoma, Washington, disclosed the incident to the California Attorney General on April 17, 2026. The bank stated that an unknown third party gained access to certain applications during late 2025.

Key Facts: Unauthorized access occurred from October 2, 2025 through December 22, 2025. On March 6, 2026 the bank completed a review and confirmed that the accessed data included personal information, though specific data types have not been publicly disclosed. The bank is providing a one‑year Experian IdentityWorks Credit 3B membership, which monitors credit files at all three bureaus, provides identity restoration support, and includes up to $1 million in identity theft insurance. Enrollment must be completed by July 31, 2026 via online portal or by calling 877‑288‑8057.

What It Means: Customers whose data was accessed face heightened risk of identity theft and fraudulent account opening. The offered monitoring service helps detect misuse of personal information, but does not prevent future breaches. Organizations should note that delayed disclosure—over four months after the intrusion ended—can affect customer trust and regulatory scrutiny.

Mitigations / What Defenders Should Do: - Enforce multi‑factor authentication on all remote and privileged access points. - Review and tighten application access controls, applying the principle of least privilege. - Enable detailed logging for authentication and data access events; correlate logs with MITRE ATT&CK technique T1078 (Valid Accounts) and T1059 (Command‑and‑Control Scripting). - Regularly patch web‑application frameworks and subscribe to vendor advisories for known CVEs. - Conduct periodic threat‑hunting exercises focused on credential‑based lateral movement.

Watch for Columbia Bank’s forthcoming root‑cause report and any regulatory actions that may follow the breach disclosure.