The biggest threat to your bank’s data might not be your bank at all.
In April 2026, the Everest ransomware group publicly claimed responsibility for data theft involving Frost Bank and Citizens Financial Group. Both institutions subsequently confirmed that a cybersecurity incident occurred within third-party vendor environments, not their internal networks. Public reporting and bank statements indicate that the incidents involved differing data types and volumes, but each underscores ongoing third-party risk exposure within the financial services sector.
Everest is a ransomware group that operates using a ransomware‑as‑a‑service (RaaS) model. A core group develops and maintains the ransomware and associated infrastructure, while affiliated actors deploy the malware against targeted organizations. In exchange, proceeds from extortion payments are typically shared between the operators and affiliates. Everest employs a data extortion strategy, whereby data is exfiltrated and victims are threatened with public disclosure if ransom demands are not met.
Ransomware Claims and Data Extortion
Everest listed both banks on its dark web leak site on April 20, 2026, publishing limited data samples and issuing deadlines before threatening broader disclosure. For Frost Bank, the group claimed access to approximately 250,000 customer records containing highly sensitive personal and financial data. For Citizens Financial Group, Everest claimed to possess approximately 3.4 million records, though sampled data appeared more limited in sensitivity.
Bank Statements and Vendor Involvement
Citizens Financial Group stated that the incident involved data extracted from a third-party vendor and that most of the affected information consisted of masked test data, with only a limited set of real customer information involved. The bank reported no evidence of unauthorized access to its internal network and indicated that affected customers were being contacted directly. Frost Bank similarly reported that a third-party vendor experienced unauthorized access that may have involved Frost customer data, and that the bank’s internal systems were not compromised.
Potential Risk Considerations
Public reporting suggests that the Frost Bank data samples, if representative, could present higher identity theft and fraud risks due to the inclusion of Social Security numbers and tax identifiers. The Citizens Financial Group data, while larger in volume based on the ransomware group’s claims, appears more likely to be used for phishing, scams or customer profiling rather than direct identity theft, based on reviewed samples. In both cases, record counts and data completeness could not be independently verified at the time of reporting.
Litigation Developments
In the aftermath of the reported incidents, customers have filed lawsuits against Citizens Financial Group and Frost Bank, alleging that the institutions failed to adequately safeguard customer information following third‑party vendor breaches. Public reporting indicates that the complaints generally assert negligence and seek damages related to the alleged exposure of personal and financial information, even though the banks have stated that their internal systems were not compromised. As is common following high‑profile data incidents, these legal actions remain in early stages, and the ultimate scope, merits and outcomes have yet to be determined.
Third-Party Risk: A Persistent Threat to Banks and Their Customers
The Everest ransomware claims involving Frost Bank and Citizens Financial Group underscore a critical reality for financial institutions: vendor-related cyber incidents can create significant operational, regulatory and reputational exposure even when core bank systems remain uncompromised. In these cases, sensitive data exposure alone can trigger regulatory scrutiny, litigation and lasting damage to customer trust.
Managing this risk requires more than contractual assurances; it demands ongoing, risk‑based oversight across the entire vendor lifecycle.
How Schneider Downs Can Help
Schneider Downs supports financial institutions in strengthening third-party risk management and cybersecurity programs that address vendor-related exposures. Our professionals assist with due diligence, ongoing monitoring, and contract governance across the vendor lifecycle, with a focus on data handling, access management, and control effectiveness within critical service providers.
We also work with institutions to enhance cybersecurity governance and incident response readiness related to third-party environments. This includes evaluating vendor security controls, testing incident response coordination with key providers and aligning third-party cybersecurity practices with regulatory expectations and internal risk tolerance. Through an integrated approach, we help institutions improve visibility into vendor risk while strengthening resilience to data extortion and ransomware-driven events.
If your organization needs assistance in proactively addressing these risks, please contact our team at [email protected].
About Schneider Downs Financial Services
The Schneider Downs Financial Services industry group supports financial institutions as they navigate evolving risk, regulatory and governance challenges. Our professionals work with institutions to strengthen internal audit, risk advisory and related risk management programs that support sound decision-making, operational effectiveness and regulatory alignment.
Through services spanning internal audit, risk advisory, IT risk advisory, third-party risk management, fraud risk advisory and enterprise risk and compliance, we help financial institutions design and enhance resilient, risk-based programs aligned with their strategic objectives and operating environment.
To learn more, visit our Financial Services Industry Group page.
