← CIO Briefings · High Impact ACTION REQUIRED

Everest Ransomware Claims Citizens Bank Data via Vendor — 250,000 SSNs and 3.4 Million Banking Records Allegedly Stolen

The Everest ransomware group claims to have stolen 380 GB of Citizens Bank customer data including 250,000 Social Security Numbers and 3.4 million banking records through a third-party vendor breach. Under GLBA and NYDFS regulations, Citizens bears breach notification obligations regardless of vendor attribution. Regulatory timelines may already be running.

4 min read
#GLBA#NYDFS Part 500

What Happened

The Everest ransomware group — a financially motivated cybercriminal organisation with a well-documented record of confirmed data theft — published a claim on 20 April 2026 stating they hold 380 gigabytes of data from Citizens Bank. The claimed dataset includes approximately 250,000 Social Security Numbers and records for 3.4 million bank customers, including account details and personal financial information.

Citizens Bank confirmed awareness of the claim and stated the data originated from a third-party vendor rather than Citizens’ direct systems. The vendor has not been publicly identified. Everest has posted sample data and set a deadline for payment, after which they state they will release the full dataset.

Business Impact

The attribution to a vendor does not reduce Citizens Bank’s legal, regulatory, or reputational exposure. Under the Gramm-Leach-Bliley Act Safeguards Rule, covered financial institutions are responsible for the protection of customer financial data regardless of where that data is physically held — including at service providers. The notification obligation runs from Citizens, not from the vendor.

If Citizens Bank is subject to New York Department of Financial Services Cybersecurity Regulation (Part 500), a material cybersecurity event must be reported to NYDFS within 72 hours of determination. Whether a determination has already been reached is a question that should have been before legal and compliance leadership within hours of the dark web posting.

The data types claimed — Social Security Numbers and detailed banking records — represent the highest-impact category of financial identity data. They enable synthetic identity fraud at a scale that credit monitoring does not prevent and account takeover via social engineering of call centres using information that bypasses standard verification protocols.

Everest’s claims carry high credibility. Their historical rate of authentic sample data across public claims is well-established. This does not confirm the breach — investigation is required — but it means treating the claim as speculative is not a defensible posture.

Regulatory Implications

Financial institutions reviewing their own third-party vendor risk in light of this incident should note:

  • GLBA Safeguards Rule requires vendor oversight: Annual review of service provider security controls is a compliance requirement, not a best practice. A vendor breach affecting customer financial data is evidence of a Safeguards Rule compliance gap.
  • NYDFS Part 500 penetration testing requirements: NYDFS-regulated entities are required to conduct periodic penetration testing of their covered systems — and to confirm that service providers holding covered data meet equivalent standards.
  • Multi-state notification complexity: SSN and banking data exposure affecting customers across states triggers notification obligations in every state where affected customers reside, each with distinct timelines and content requirements.

Board-Ready Summary

A prolific ransomware group is publicly claiming to hold 3.4 million Citizens Bank customer records, has posted sample data that appears authentic, and has set a deadline for public release. Under US financial regulations, Citizens Bank bears legal responsibility for notifying affected customers and regulators — the fact that the data may have been stolen from a vendor, not Citizens directly, does not change this obligation.

Leadership must make a regulatory disclosure decision within 24–48 hours. Every day of delay increases both regulatory penalty exposure and the reputational damage that follows when customers learn of the breach from news coverage rather than directly from the bank.

Immediate — within 24 hours:

  1. Convene legal, compliance, and incident response leadership to assess whether a breach determination under GLBA and NYDFS Part 500 has been reached; if yes, begin regulatory notification procedures
  2. Demand a full forensic scope from the third-party vendor within 24 hours: exactly what data was accessed, what systems were compromised, and the breach timeline

Within 48 hours:

  1. If breach is confirmed or probable, begin customer notification planning and engage credit monitoring providers for affected individuals — offer a minimum of 24 months of coverage
  2. File NYDFS notification if applicable and begin GLBA Safeguards Rule documentation

Within 72 hours:

  1. Complete multi-state notification assessment; engage outside counsel with financial regulatory experience across relevant jurisdictions

Ongoing:

  1. Conduct a third-party vendor risk review identifying all vendors holding material customer financial data and confirming each has been assessed under GLBA Safeguards Rule service provider oversight requirements; this incident is evidence of a gap that extends beyond a single vendor relationship