Columbia Bank Reveals Late‑2025 Data Breach Affecting Customers, Offers Free Identity‑Theft Protection

Columbia Bank recently disclosed a data breach that exposed customer personal information during late 2025. The bank offers affected individuals one year of free identity protection services.

Columbia Bank, a regional institution headquartered in Tacoma, Washington, recently announced a data breach affecting its customers. The bank filed a disclosure with the California Attorney General on April 17, 2026.

An unauthorized third party accessed certain Columbia Bank applications between October 2, 2025, and December 22, 2025. This nearly three-month period saw an attacker gain access to systems containing customer data. A thorough review, completed by March 6, 2026, confirmed that personal information was compromised. While specific types of exposed data remain undisclosed, such breaches often involve names, addresses, financial account details, or Social Security numbers.

In response to the incident, Columbia Bank offers affected customers a complimentary one-year membership to Experian IdentityWorks Credit 3B. This service includes credit monitoring across three major bureaus, dedicated identity restoration support, and up to $1 million in identity-theft insurance. Customers must enroll by July 31, 2026, to activate these protections.

For organizations, this incident highlights the critical need for continuous monitoring and rapid incident response capabilities. Implementing robust access controls, multi-factor authentication (MFA) on all critical applications, and regular security audits can limit exposure windows. Post-breach, clear communication and practical support for affected individuals are essential. Security teams should focus on identifying and patching vulnerabilities, reviewing logs for suspicious activity, and educating employees on potential social engineering tactics.

Regulators and customers will now monitor Columbia Bank's ongoing security enhancements and the broader financial sector's response to similar persistent threats.