Citizens Financial Group and Frost Bank — shared-vendor Everest ransomware breach

On 28 April 2026 Citizens Financial Group disclosed a data breach to the Massachusetts Attorney General involving a third-party vendor’s systems. The Everest ransomware group had listed both Citizens and Frost Bank on its dark-web extortion portal eight days earlier, on 20 April, with a six-day deadline to pay before the dataset went public. Everest claimed roughly 3.4 million Citizens customer records and 250,000 Frost Bank records, with fields including names, addresses, Social Security numbers, tax identification numbers, mortgage interest rates, investment data and other regulated financial information.

Both banks have stated that the intrusion was not against their own networks. The compromised vendor handled statement printing for Citizens and tax-document fulfilment for Frost, giving the same supplier custody of regulated financial-services data on behalf of two unrelated Tier-1 US banks.

By 24 April 2026, two proposed class actions had been filed in the US District Court in Providence by claimants in Ohio and Maine, alleging negligence and breach of implied contract; American Banker reported six proposed class actions across both banks within a fortnight of the leak-site listing. The legal theory in those filings — that GLBA places ultimate accountability on the regulated financial institution rather than the vendor, regardless of contractual indemnity — is likely to be the defining read-across from this incident for FS regulators in other jurisdictions.

A deep-dive will follow once the vendor is publicly named, the data taxonomy is confirmed by the banks’ breach-notification letters, and the early class-action pleadings reach a substantive ruling.