Citizens and Frost Banks Probe Vendor‑Linked Breaches as Ransomware Gangs Target Supply Chains

TL;DR: Citizens Bank and Frost Bank are each investigating breaches that originated at third‑party vendors, with no evidence of internal network intrusion. The probes come as ransomware groups like Everest use double‑extortion tactics and target supplier relationships.

Context: Both banks disclosed the investigations in April 2025 after vendors reported unauthorized access to systems that may have held customer data. Citizens Bank said most of the exposed information was masked test data, with a limited set of real customer details for a small number of individuals. Frost Bank learned from a vendor that hackers had gained access to its system and engaged external cybersecurity experts to assist.

Key Facts: Citizens Bank confirmed it is managing an incident where data was extracted from a third‑party vendor, emphasizing there is no evidence of unauthorized network access and that operations continue with enhanced monitoring. Frost Bank hired external experts; early findings link the incident to recent cybercriminal claims while also finding no evidence of unauthorized access to its own network. Both institutions appeared on the dark web site of the Everest ransomware gang, which gave them a six‑day window before threatening to leak stolen data. PYMNTS Intelligence research shows 43% of phishing attacks trace back to compromised vendors, and 38% of invoice fraud cases originate similarly.

What It Means: The investigations underscore how ransomware actors have shifted from pure encryption to double‑extortion, leveraging vendor trust to reach target organizations. The lack of internal network breach suggests attackers are exploiting weak points in the supply chain rather than bypassing perimeter defenses directly. For banks and similar firms, vendor risk management is now a frontline defense.

Mitigations: Organizations should enforce strict vendor access controls, requiring multi‑factor authentication and least‑privilege principles for any third‑party connections. Regularly review and patch third‑party software, prioritizing CVEs listed in the CISA Known Exploited Vulnerabilities catalog. Deploy network segmentation to isolate vendor portals from core banking systems. Monitor for exfiltration using detection signatures for MITRE ATT&CK technique T1041 (Exfiltration Over Command and Control Channel) and T1071 (Application Layer Protocol). Finally, maintain an up‑to‑date incident response plan that includes ransomware negotiation protocols and double‑extortion scenarios.