Citizens Financial Group and Frost Bank — shared-vendor Everest ransomware breach

On 20 April 2026 the Everest extortion group listed Citizens Financial Group and Frost Bank on its dark-web leak site, set a six-day countdown, and claimed roughly 3.4 million Citizens customer records and around 250,000 Frost Bank records. The data fields advertised were specific in a way that should have set off alarm bells immediately: names and addresses, Social Security numbers, tax identification numbers, mortgage interest rates, investment data and other regulated financial information. The next day, Citizens issued a statement attributing the incident to a third-party vendor. Frost issued a similar statement on 22 April. Neither bank’s network was breached. The two unrelated banks turned out to share a single supplier with custody of regulated customer data on behalf of both. Six weeks on, neither bank has publicly named the vendor, and none of the half-dozen class actions filed against them has either.

The vendor’s function across the two banks is what makes the incident architecturally telling. For Citizens, it handles statement printing — paper customer statements at scale, mailed to retail and small-business account holders. For Frost, it handles tax document fulfilment — 1098 mortgage interest forms, 1099-INT interest statements, and the supporting customer-identifier datasets behind them. Those are two distinct outsourced functions, run for two unrelated banks, hosted on a single vendor’s infrastructure. Whatever the access path, it gave Everest custody of a regulated dataset that neither bank’s own network ever held in that consolidated form. The intrusion vector itself has not been disclosed in primary detail. Everest’s wider tradecraft pattern, documented in profiles from Halcyon and ZeroFox, leans on exposed RDP services, credentials purchased from initial-access brokers, and a corporate-insider recruitment programme the group has run continuously since October 2023. Any of those three would fit the Citizens/Frost vendor profile.

What is most worth tracking is the company Citizens and Frost are now keeping on Everest’s leak site. Between 2 and 3 May 2026, Everest added three more North American financial-services back-office providers: TSYS, the US payment-processing subsidiary of Global Payments; Symcor, the Canadian business-process outsourcing firm that handles statement and document operations for the Big Five Canadian banks; and Fiserv, the Milwaukee-headquartered fintech that provides core banking systems, payment processing, card-issuer processing, and the Clover point-of-sale platform to thousands of US institutions. None of those three has, at the time of writing, confirmed the breach claim. Everest’s listing accuracy across its 2026 activity is good enough that the cluster cannot be dismissed as opportunistic brand-touting. The pattern is plain: Everest spent a fortnight in April and early May 2026 working through the bank-vendor layer of North American financial services. Citizens and Frost are the first known concrete victims; whether others follow depends on whether those three downstream listings are sustained or quietly withdrawn.

The timeline of the disclosure rests on a six-day deadline that began on 20 April and expired on 26 April. Citizens declined to negotiate; Frost did the same. By 24 April, two class actions had been filed in the US District Court for the District of Rhode Island in Providence, by named plaintiffs Jillian Russell Hauser of Ohio and Lorien Hansford of Maine, each seeking damages in excess of $5 million on negligence and breach-of-implied-contract theories. American Banker recorded six proposed class actions across both banks within a fortnight of the leak-site listing. Frost’s discovery date of 20 April puts its Texas state-law notification deadline at approximately 20 May 2026 — five days from the date this deep-dive is being written. Citizens publicly stated that “most of the compromised data was masked test data, although a limited set of information for a small number of customers was involved” — a framing that, if accurate, would meaningfully cut the regulated record count below Everest’s 3.4 million claim. The dispute between Everest’s published volume and Citizens’ “limited” characterisation is the question the breach-notification letters will, by statute, eventually have to resolve.

The defender takeaway is the legal-and-architectural argument the New Jersey filings in the broadly comparable Conduent litigation are also testing. Gramm-Leach-Bliley places ultimate accountability for safeguarding non-public personal information on the regulated financial institution, not on the institution’s vendors. Section 501(b), Regulation S-P, and the FFIEC’s third-party risk management guidance all converge on the same proposition: contractual indemnity from a vendor does not transfer regulatory accountability away from the bank. That is the legal theory the plaintiffs’ bar is now stress-testing in Providence. The architectural question underneath it is the harder one. Most US banks of Citizens’ and Frost’s size outsource statement printing and tax document fulfilment to a small number of specialist vendors, because the alternative — building and operating that capability in-house — is uneconomic at scale. The result is a small set of vendor firms holding consolidated regulated datasets across multiple unrelated banks, with corresponding concentration of cyber-resilience risk. The Citizens/Frost incident is the worked example of what happens when one of those vendors is compromised. The defender lens worth carrying into a UK or European boardroom is the read-across to DORA Article 28’s critical-third-party regime, to PRA SS2/21’s outsourcing and operational-resilience rules, and to APRA CPS 234’s accountability framing in Australia. Each of those regimes is now testing, in different language, the same principle: the regulated firm remains accountable for the third party’s controls, and the third party’s controls remain a board-level question rather than a procurement-team one. The segmentation between the vendor’s corporate IT environment and the customer-data-custody environment, the egress monitoring on the vendor’s network, the credential hygiene on the vendor’s remote-access tooling — these are now things a bank’s CISO needs to be able to evidence about a vendor, not things the bank’s CISO can take on trust.

Whether the Citizens/Frost vendor is ever named publicly will depend on the litigation discovery process and the timing of state breach-notification rollouts. The structural question the incident raises does not depend on the name. A single supplier holding regulated data on behalf of two banks is two banks’ worth of resilience risk concentrated in one operational environment. After Conduent in the govtech layer, after Salesloft/Drift in the CRM layer, and now after Everest’s April-May 2026 cluster in the banking-back-office layer, the pattern is no longer surprising. The remaining question is which regulator moves first to convert the read-across into rule.