Two major U.S. financial institutions, Citizens Bank and Frost Bank, have confirmed separate data security incidents, disclosed on April 23, 2026, intensifying concerns about cybersecurity vulnerabilities within the banking industry.
The breaches have been attributed to the Everest ransomware group, which claims it gained unauthorized access to systems associated with both banks and extracted significant amounts of sensitive data. The group has reportedly added the institutions to its dark web leak portal, threatening to release the data if its demands are not met.
According to the group’s claims, as many as 3.4 million records connected to Citizens Bank may have been exposed, including customer names, addresses, and account details. In the case of Frost Bank, up to 250,000 records could be affected, with potentially more sensitive information such as Social Security numbers and tax identification data involved.
In their official responses, Citizens Bank noted that much of the data involved appears to be masked or test information, with only a small portion linked to real customers. Frost Bank similarly indicated that the exposure originated from a vendor’s environment and stressed that its core banking infrastructure remains secure.
Cybersecurity experts believe the dual exposure points to a supply chain attack, where attackers exploit weaker defenses within third-party partners to gain indirect access to high-value targets.
The situation is already escalating, with Frost Bank reportedly facing class-action lawsuits. Plaintiffs allege inadequate data protection measures and delays in notifying affected individuals.
For customers, the level of risk differs. The Citizens Bank incident may primarily increase exposure to phishing and scam attempts, while the Frost Bank breach, due to the nature of the data involved, poses a higher risk of identity theft and financial fraud.
Both banks have since engaged cybersecurity specialists, strengthened monitoring systems, and begun notifying impacted customers. They have also reassured stakeholders that normal operations remain unaffected.
This incident highlights a growing pattern in cybercrime, where attackers increasingly target third-party vendors as a gateway into larger, more secure organizations.
More broadly, the breaches underscore the rising sophistication of ransomware operations and the systemic risks facing global financial institutions. As threat actors continue to exploit stolen data for extortion, the events reinforce the need for stronger third-party risk management, enhanced data protection measures, and faster, more effective incident response strategies across the financial sector.
About The Author
