Ransomware Hit Citizens Bank and Frost Bank Through a Vendor Neither Will Name—Two Class Actions Were Filed in Four Days

Two Banks, One Vendor, Zero Answers

On April 20, the Everest ransomware gang posted Citizens Financial Group and Frost Bank on its dark web leak site with a simple ultimatum: pay up by April 27, or the stolen data goes public. The attackers claim to hold 3.4 million Citizens Bank records and 250,000 Frost Bank records, all taken from a single third party vendor that neither bank is willing to identify.

Citizens Financial Group is one of the largest regional banks in the United States, with more than $220 billion in assets. Frost Bank is a Texas based financial institution managing more than $50 billion. Both confirmed they were affected by a cyber incident. Both issued nearly identical statements: no evidence of unauthorized access to their own networks.

The breach originated at a third party vendor that handled statement printing for Citizens and tax document fulfillment for Frost. Neither bank has publicly named the vendor, and Citizens referred inquiries to Frost without resolution.

What the Attackers Claim They Stole

Everest published sample data to back its claims. For Citizens Bank, the group says it extracted a SQL database dump containing 3.4 million records with full names, home addresses, account numbers, and internal document flags. The attackers say no Social Security numbers or tax identification numbers were found in the Citizens data.

The Frost Bank data tells a different story. Everest claims those 250,000 records include Social Security numbers, tax IDs, mortgage interest rates, investment profits, income data, taxable amounts, and home addresses. This is precisely the kind of information found on tax documents, which matches the vendor's role in tax document fulfillment.

The Banks Push Back

Citizens Bank called the attackers' claims overstated. A spokesperson told the Boston Globe that "most of what got stolen was masked test data, with a limited set of information for a small number of customers." The bank said the actual exposure affects "a few thousand customers" and involves data typically found on written checks: names, addresses, and account numbers.

Frost Bank acknowledged the breach "may have included Frost customer data" but emphasized it found "no evidence of unauthorized access to the Frost network." The bank said customers can safely continue using all Frost services.

Security researchers note that Everest has exaggerated the scale and sensitivity of stolen data in past incidents. But even if the real numbers are a fraction of what was claimed, the underlying problem remains: two banks trusted the same vendor, and that vendor's failure exposed both.

Lawsuits Filed Within Days

The legal response was swift. Two class action lawsuits were filed in US District Court in Providence by April 24, just four days after Everest posted the data. Ohio resident Jillian Russell Hauser and Maine resident Lorien Hansford each filed suits alleging negligence and breach of implied contracts to protect customer data. Both seek damages exceeding $5 million.

Citizens Bank dismissed the lawsuit claims as "generally inaccurate" and said there is "no evidence of fraud resulting from this event." Whether courts agree will depend on whether the bank can demonstrate it conducted adequate due diligence on the vendor's security posture before entrusting it with customer data.

Why This Lands in Your Inbox

Stolen banking data fuels targeted phishing. When attackers have your name, address, and account number, they can craft emails that look indistinguishable from legitimate bank correspondence. The FBI reported that business email compromise and personal email fraud were the second largest driver of the $17.6 billion Americans lost to cyber fraud in 2025.

For Frost Bank customers, the risk is sharper. If Social Security numbers and income data were genuinely exposed, expect spear phishing emails impersonating the IRS, tax preparation services, or Frost itself. These messages will reference real financial details to build trust before directing victims to credential harvesting pages.

Banking breaches also feed the broader ecosystem of email tracking and surveillance. Data brokers aggregate leaked financial information with existing marketing profiles, giving advertisers a richer picture of your spending habits and financial status, all of which can be delivered through invisible tracking pixels embedded in promotional emails.

Third Party Risk Is the Common Thread

This breach follows a pattern that has defined 2026. ShinyHunters breached Canada Life through Salesforce. Qilin ransomware hit a healthcare provider through a third party IT vendor. Now Everest has reached two banks through a shared document processing vendor.

The lesson is the same every time: your bank may have invested millions in its own cybersecurity, but if its vendors have not, the investment is irrelevant. The weakest link in financial services is rarely the bank itself.

What Affected Customers Should Do

• Monitor your bank statements for unauthorized transactions
• Place a free fraud alert with one of the three major credit bureaus (Equifax, Experian, or TransUnion)
• Consider freezing your credit, especially if you are a Frost Bank customer where SSN exposure is alleged
• Watch for phishing emails impersonating either bank. Attackers who have your name and account data can craft convincing messages
• Do not click links in unsolicited emails claiming to offer breach protection or identity monitoring
• If you receive a breach notification letter, verify it by calling the number on the back of your bank card, not the number in the letter