🗄️ Assets

Everest Ransomware Claims Citizens Bank Breach — 380 GB Including 250,000 SSNs and 3.4 Million Records

The Everest ransomware group claims to have stolen 380 GB of Citizens Bank customer data via a third-party vendor, including 250,000 Social Security Numbers and 3.4 million banking records. Citizens attributes the breach to a vendor, not its core systems — but regulatory notification obligations apply regardless.

4 min read
#ransomware#everest#data-breach#financial-sector#third-party-risk#pii-exposure

The Everest ransomware group published a dark web post on 20 April 2026 claiming responsibility for a breach affecting Citizens Bank, one of the largest US retail banks by deposit base. The group claims possession of 380 gigabytes of data including approximately 250,000 Social Security Numbers and 3.4 million banking records, and has set a publication deadline after which it will release the data publicly.

Citizens Bank issued a statement acknowledging the claim but asserted that the data originated from a third-party vendor rather than Citizens’ own network or core banking systems. The bank stated it had notified relevant regulators and was investigating the vendor incident.

Why Vendor Attribution Does Not Reduce Risk

The third-party framing matters operationally but not for the customers whose data is at stake or for regulators assessing Citizens’ obligations. Under the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, financial institutions are responsible for ensuring service providers maintain appropriate safeguards for customer financial information. The obligation to protect customer data does not transfer to the vendor — Citizens remains the covered institution responsible for notification and remediation.

Regulatory timelines may already be running. NYDFS-supervised entities must report material cybersecurity events within 72 hours of a determination. Whether that determination clock started at the point of the dark web posting, when sample data was verified, or when the vendor confirmed the breach is a legal question with significant consequences. Engaging outside counsel with financial regulatory experience is not optional at this stage.

The practical risk to affected customers is unchanged regardless of where the data was physically stored. Social Security Numbers combined with banking records — account numbers, balances, transaction histories, and associated PII — represent the highest-impact category of financial data theft. They enable synthetic identity fraud, new account fraud, and social engineering of call centres with information that bypasses standard identity verification.

Everest’s Operational Profile

Everest operates a ransomware-as-a-service model with a persistent data extortion component that does not always involve encryption. In many Everest incidents, exfiltration is the primary mechanism — encryption is applied selectively as additional pressure. The group’s dark web claims have a high historical verification rate; their sample postings have consistently proven authentic in previous incidents.

The April 20 Citizens Bank posting is part of a broader Everest campaign that claimed multiple victims across financial services, manufacturing, and retail in the same period, including Frost Bank, a European aerospace component supplier, and several mid-market retail logistics companies. The multi-victim, multi-sector pattern suggests Everest is processing a backlog of access from initial access broker purchases targeting VPN and remote desktop endpoints at vendor organisations with weaker security postures than their financial sector clients.

The vendor-breach pattern — where a major financial institution’s customer data is exposed through a smaller third-party supplier — has become Everest’s recurring entry vector into financial sector targets. This is not a zero-day attack; it is a supply chain pressure calculation.

Data Types and Customer Exposure

The claimed dataset categories create specific fraud vectors:

  • Synthetic identity fraud: SSNs combined with banking metadata allow construction of synthetic identities for new account fraud, the fastest-growing category of financial fraud in the US market
  • Account takeover via social engineering: Knowledge of account numbers, balances, and recent transactions enables vishing attacks that bypass standard call centre verification
  • Targeted credential phishing: Detailed customer financial profiles allow personalised phishing campaigns far more convincing than generic financial institution impersonation
  • Activate vendor incident response protocols: Compel the third-party vendor to provide a forensic scope within 24 hours: what data was accessed, which systems were compromised, and the breach timeline
  • Conduct regulatory notification assessment immediately: Determine whether NYDFS, GLBA, and applicable state breach notification timelines are running; engage legal counsel before the next business day
  • Notify affected customers proactively: The public claim with sample data constitutes a known potential breach under most notification laws; do not wait for confirmed publication
  • Offer substantive remediation: A minimum of 24 months of credit monitoring with identity restoration support, not the industry-standard 12 months, is appropriate for SSN exposure at this scale
  • Audit vendor data minimisation: Review which vendors hold copies of customer financial PII and whether each retention is required under current contractual scope. Customers whose data appeared in a vendor environment should not have been there if the vendor’s operational scope did not require it.

Share this article