Full Report
On or about March 2, 2026, Heritage Financial Corporation (the "Company") detected a cybersecurity incident involving an internal file share server used by employees and the exfiltration of files from that file share server which may contain personal information. The Bank's customer accounts, customer systems and operations were not impacted. Promptly following detection, the Company initiated its security incident response plan and began deploying measures to stop the unauthorized activity, including taking the affected system offline. The incident did not cause any disruptions in the Company's operations, which have continued throughout this time in the ordinary course. The Company has launched a thorough investigation and engaged experienced external advisors, including an independent forensic investigation firm and legal counsel, to assess, contain, and remediate the incident. The Company also promptly notified its banking regulators, law enforcement and cyber insurance carrier. While the investigation is ongoing, as of the date of this filing, the Company has not determined that the cyber incident is material or that it has had, or is reasonably likely to have, a material impact on the Company's financial condition or results of operations.
Analysis Summary
# Incident Report: Heritage Financial Corporation File Share Exfiltration
## Executive Summary
On March 2, 2026, Heritage Financial Corporation detected a cybersecurity incident involving unauthorized access and file exfiltration from an internal file share server. The company successfully isolated the affected systems, preventing any disruption to bank operations or impact on customer accounts. An investigation is ongoing to determine the full extent of the personal information compromised during the exfiltration.
## Incident Details
- **Discovery Date:** March 2, 2026
- **Incident Date:** On or about March 2, 2026
- **Affected Organization:** Heritage Financial Corporation (Parent of Heritage Bank)
- **Sector:** Financial Services / Banking
- **Geography:** Northwestern United States (Washington, Oregon, Idaho)
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed (Prior to March 2, 2026)
- **Vector:** Unknown
- **Details:** Attackers gained access to an internal file share server used by employees.
### Lateral Movement
- **Details:** Not explicitly disclosed; however, the scope was limited to the internal file share server and did not reach customer-facing systems or core banking operations.
### Data Exfiltration/Impact
- **Details:** Files containing potential personal information were exfiltrated from the internal server. The company is currently assessing the volume and type of records compromised.
### Detection & Response
- **Discovery:** Detected by the Company on March 2, 2026.
- **Response actions taken:** Activated the security incident response plan, took affected systems offline, and engaged external forensic and legal advisors.
## Attack Methodology
- **Initial Access:** Undisclosed
- **Persistence:** Undisclosed
- **Privilege Escalation:** Undisclosed
- **Defense Evasion:** Undisclosed
- **Credential Access:** Undisclosed
- **Discovery:** Target identified as internal employee file share server.
- **Lateral Movement:** Limited/Not reported beyond the file share environment.
- **Collection:** Gathering of files stored on internal shares.
- **Exfiltration:** Exfiltration over C2 (Command and Control) channel (per MITRE ATT&CK mapping).
- **Impact:** Unauthorized disclosure of personal information.
## Impact Assessment
- **Financial:** Currently under assessment; deemed non-material as of March 20, 2026. Cyber insurance has been notified.
- **Data Breach:** Exfiltration of files containing personal information confirmed; specific record count unknown.
- **Operational:** No disruption; business operations continued in the ordinary course. Customer accounts and systems remained unaffected.
- **Reputational:** Minimal at present due to lack of operational downtime, though pending notification of affected individuals.
## Indicators of Compromise
- **Network indicators:** None disclosed in the 8-K filing.
- **File indicators:** None disclosed.
- **Behavioral indicators:** Unusual data transfer patterns from the internal file share server to external destinations.
## Response Actions
- **Containment:** Affected file share systems were taken offline immediately upon detection.
- **Eradication:** Deployment of measures to stop unauthorized activity and engagement of a forensic firm to purge threat actor access.
- **Recovery:** Restoration of services from secure environments (ongoing/completed); notification of banking regulators, law enforcement, and insurance carriers.
## Lessons Learned
- **Segmentation Success:** The isolation of the internal file share from core banking systems prevented a widespread operational collapse.
- **Visibility:** Early detection of exfiltration (on or about the day of the incident) allowed for rapid containment.
- **Data Centralization Risks:** Housing sensitive personal information on general employee file shares creates a high-value target for exfiltration.
## Recommendations
- **Zero Trust Architecture:** Implement stricter access controls and least-privilege policies for internal file shares.
- **Data Loss Prevention (DLP):** Deploy DLP tools to automatically block or alert on the exfiltration of files containing PII (Personally Identifiable Information).
- **Encryption:** Ensure data at rest on internal servers is encrypted to mitigate the impact of file theft.
- **Audit Logs:** Regularly review access logs for file servers to identify "smash and grab" style exfiltration attempts earlier.