Citizens Bank and Frost Bank breached via third-party vendor - Everest ransomware claims 3.4M and 250K records, deadline expires today

The Everest ransomware group listed Citizens Financial Group and Frost Bank on its leak site on April 20 with a six-day deadline that expires today. Everest claims 3.4 million Citizens records (names, addresses, account numbers) and 250,000 Frost records with the more sensitive set: SSNs, tax IDs, mortgage rates, and income data. Both banks confirmed the breach traces to a third-party vendor - a statement-printing provider for Citizens, a tax-document fulfillment firm for Frost - rather than direct compromise. Citizens disclosed publicly April 21; class-action lawsuits were filed April 23.

Check

If you bank with Citizens or Frost, monitor accounts and credit reports closely, and treat any inbound communication referencing real account or mortgage details as hostile.

Affected

Citizens Financial Group customers (3.4M records claimed; addresses, names, account numbers in samples) and Frost Bank customers (~250K records; samples include SSNs, tax IDs, mortgage rates - high identity-theft risk). Any organization that shares customer PII with statement-printing, tax-document, or marketing-mail vendors faces equivalent third-party exposure.

Fix

Affected consumers: place a credit freeze, enable 2FA on banking apps, and watch for tax and mortgage fraud since the leak window straddles US filing deadlines. Organizations: pull your vendor PII inventory, identify which downstream printers and tax processors hold equivalent record types, and renegotiate contracts to mandate at-rest encryption and breach notification SLAs.