Citizens, Frost blame vendor after data breach claim

• Key insight: Same-day leak posting plus document-production data in both banks’ samples points to a shared vendor compromise rather than two separate attacks, according to ZeroFox’s analysis shared with American Banker.
• Supporting data: Everest’s victim-shaming site attributes 3.4 million records to Citizens and more than 250,000 Social Security numbers and taxpayer identification numbers to Frost; neither figure has been reconciled with the banks’ statements.
• Forward look: Everest has threatened to publish the stolen files on April 25, which would be the first public test of the banks’ limited-exposure framing against Everest’s actual dataset.

Overview bullets generated by AI with editorial review

Processing Content

Ransomware group Everest recently claimed it stole 3.4 million records from Citizens Bank and 250,000 Social Security numbers from Frost Bank.

On Tuesday, the day after Everest listed the two banks as victims, Citizens issued a statement attributing the incident to a third-party vendor. Frost provided American Banker a similar statement on Wednesday. Neither bank has named the compromised vendor.

The data samples on Everest’s site suggest a single third-party compromise affected both banks, according to Adam Darrah, vice president of Intelligence at ZeroFox. The affected vendor appears to handle statement printing for Citizens and tax document fulfillment for Frost, Darrah told American Banker.

The samples do not suggest Everest reached internal systems at either bank, Darrah said.

The breach is yet another example of an attack on an outsourced vendor, affecting multiple banks in the fallout. In this case, the attack affects statement printing and tax-document outsourcing, which is common in banking and concentrated among a handful of large vendors.

ZeroFox has previously assessed that Everest likely overstates the volume and sensitivity of the data it claims to hold. So, the breach also serves as a case study in how banks calibrate their public response when the group claiming the breach has a documented record of overstating its plunder.

What the banks say vs. what Everest claims

In its April 21 statement, Citizens said most of what got stolen was masked test data, with a “limited set of information for a small number of customers” involved. The bank said it has no evidence of unauthorized access to its own network.

A spokesperson for Citizens did not directly respond to Everest’s claim that it had stolen 3.4 million records from the bank. The spokesperson told American Banker that the compromised data does not contain Social Security numbers.

Likewise, a spokesperson for Frost did not directly address Everest’s claim that it had more than 250,000 Social Security numbers and taxpayer identification numbers stolen from the bank.

The Frost spokesperson said the bank received a notification from a third-party vendor about unauthorized access to the vendor’s systems that “may have included Frost customer data.” Early findings indicate the incident “may be related to recent claims made by cybercriminals,” the spokesperson said.

Frost has engaged external cybersecurity experts and has no evidence of unauthorized access to its own network, the spokesperson added.

The spokesperson did not directly address Everest’s claim that the group had stolen more than 250,000 Social Security numbers and taxpayer identification numbers from the bank.

What we do and do not know

A single shared vendor compromise is the most likely explanation for the samples Everest has posted, Darrah said. The alternative scenario, in which two vendors in the same category were hit in a coordinated operation, is possible but less likely.

“The appearance of document-production-specific data in two banks within a single posting is probably not a coincidence,” Darrah said.

Several gaps in the public record remain. Neither bank has named the vendor. A Citizens spokesperson referred the question of whether it shares the vendor with Frost to Frost itself. A Frost spokesperson did not address the question.

Neither bank has publicly reconciled its framing with the specific counts in Everest’s claim. Frost has not said whether it confirms or disputes the claim outright. Neither bank has said whether it has notified its federal banking regulators.

Neither bank is new to a vendor-involved incident. Frost disclosed a compromise of third-party lockbox software in 2018 that affected roughly 470 commercial customers. Citizens notified 8,358 consumers in December 2024 of an incident it attributed to insider wrongdoing.

The scale of what Everest is now claiming would represent a different order of magnitude.

Everest and its credibility problem

The Everest ransomware and extortion group emerged in December 2020. An August 2024 threat-actor profile from the U.S. Department of Health and Human Services, or HHS, describes the group as Russia-based.

Everest shifted from pure double-extortion ransomware (encrypting a victim’s data and threatening to leak it publicly unless a ransom is paid) to a mix of data extortion and so-called initial access brokering (selling stolen access to other criminal groups) starting in late 2021 and specializing by 2023, the profile said.

The group has also run a program offering cash to corporate insiders in exchange for remote access, according to the HHS analysis.

Everest has likely exaggerated the quantity and quality of its alleged victim data and in some cases fabricated it entirely, ZeroFox concluded in a Feb. 6 report.

In the case of Citizens and Frost, the specifics of Everest’s claim (250,000-plus Social Security numbers and taxpayer identification numbers from Frost and 3.4 million banking records from Citizens) remain unverified.

The group is currently threatening to publish the stolen files on April 25.