Everest Ransomware Claims 3.4M Records Stolen from Citizens and Frost Banks

Everest ransomware group claims it stole 3.4 million records from Citizens Bank and more than 250 000 Social Security numbers from Frost Bank.

TL;DR: Six federal lawsuits accuse the banks of negligence while the ransomware group points to an unnamed third‑party vendor as the source of the breach.

Context Both Citizens and Frost have told regulators and customers that the incident originated from a vendor’s systems. The banks say they were notified of unauthorized access to that vendor’s environment, which may have exposed customer data and aligns with Everest’s claims. No vendor has been named in any filing, and neither bank has submitted a material cyber‑incident report to the SEC or the Texas attorney general’s office.

Key Facts The ransomware group announced the theft earlier this month, citing the exact numbers now echoed in the complaints. Plaintiffs allege the banks failed to safeguard names, addresses, Social Security numbers, and financial account information, exposing victims to identity theft and fraud. Technical details remain scarce, but ransomware operations like Everest typically begin with spear‑phishing (MITRE ATT&CK T1566.001), steal valid credentials (T1078), move laterally using Windows admin shares (T1021.002), and encrypt files (T1486). No specific CVE has been linked to this incident, but the pattern suggests exploitation of remote‑access tools or unpatched VPN appliances.

What It Means The lawsuits test whether banks can be held liable for a vendor’s security failures. A Citizens complaint even asks the court to declare the bank’s current data security inadequate, which could set a precedent for stricter vendor‑risk oversight. For security teams, the incident underscores the need to treat third‑party access as an extension of the internal network.

Mitigations - Enforce multi‑factor authentication on all remote‑access portals and privileged accounts. - Segment vendor networks with strict firewall rules and monitor for anomalous lateral movement (look for MITRE technique T1021). - Deploy EDR signatures that detect known Everest ransomware behaviors, such as credential dumping (T1003) and file encryption patterns. - Maintain offline, immutable backups and test restoration quarterly. - Review and patch external‑facing services (VPN, RDP) against known vulnerabilities; subscribe to vendor advisories for CVE‑2023‑XXXX‑style alerts.

Watch for any SEC filings or vendor disclosures that could clarify liability and shape future third‑party risk management rules.