Everest Claims 3.4M Citizens Records, 250K Frost SSNs; ZeroFox Points to Shared Vendor Breach

Context Cybersecurity threats frequently target the extended supply chain, particularly impacting financial institutions. The Everest ransomware group recently announced claims of major data compromises involving two prominent banks. This incident highlights the critical vulnerabilities introduced by third-party service providers within the banking sector, where outsourced services are common and often concentrated among a few large vendors.

Key Facts Everest asserts it stole 3.4 million records from Citizens Bank. Separately, the group claims to possess over 250,000 Social Security numbers and taxpayer identification numbers associated with Frost Bank. ZeroFox, a threat intelligence firm, analyzed samples of the exposed data. Their findings suggest a single third-party vendor breach as the origin for both alleged incidents. The simultaneous listing of both banks as victims, coupled with specific document-production data present in both samples, points compellingly to a shared compromise rather than two independent attacks. This vendor reportedly handles critical services like statement printing for Citizens and tax document fulfillment for Frost. Such services often grant access to sensitive customer information. Everest has escalated its threat by stating it will publicly release the stolen data on April 25. This date will provide the first direct public assessment of the banks' limited-exposure claims against the group's alleged dataset. Neither bank has publicly confirmed the specific record counts claimed by Everest, nor have they yet identified the compromised vendor.

What Defenders Should Do This incident underscores the imperative for robust third-party risk management frameworks. Organizations must implement stringent vendor security assessments, including continuous monitoring and regular audits based on a comprehensive risk profile. Data minimization principles are paramount. Limit what customer data third-party vendors access, thereby reducing potential exposure should a breach occur. Enforce strong access controls, multi-factor authentication (MFA), and least privilege for all vendor-related systems. Additionally, develop and regularly test incident response plans specifically tailored for supply chain breaches. Proactive dark web monitoring can detect early signs of compromised data or vendor vulnerabilities, allowing for preemptive action. The Everest situation demands a critical reassessment of security postures across all external partnerships.

Forward Look All eyes will be on April 25, when Everest threatens to release the data, providing the first direct public assessment of the banks' limited-exposure claims and potentially revealing the full scope of this significant third-party breach.