U.S. Banks Investigate Possible Data Leaks After Everest Ransomware Threat

TL;DR Two U.S. banks are probing possible data leaks after the Everest ransomware gang threatened to publish stolen customer information taken from third‑party vendors. No internal network breach has been confirmed, but the incidents highlight growing supply‑chain risk.

Context On April 21, Citizens Bank disclosed it was managing an incident involving data extracted from a third‑party vendor. The bank said most of the exposed information was masked test data, though a limited set of real customer details for a small number of users was involved. Citizens added there is no evidence of unauthorized access to its network and that operations continue with enhanced monitoring.

Key Facts Frost Bank told Cyber News it had engaged external cybersecurity experts after a vendor alerted the lender to possible hacker access to its systems. Early findings suggest the incident may relate to recent claims made by cybercriminals, and Frost also reports no evidence of unauthorized network intrusion. Both banks appeared on a dark‑web site operated by the Everest ransomware gang, which gave them a six‑day deadline before threatening to leak the stolen data. According to PYMNTS Intelligence, 38% of invoice fraud cases and 43% of phishing attacks originate from compromised vendors, illustrating how supply‑chain weaknesses fuel broader fraud.

What It Means The investigations show attackers are exploiting trusted vendor relationships to reach financial institutions without needing to breach internal defenses—a tactic aligned with MITRE ATT&CK technique T1199 (Supply Chain Compromise). Defenders should enforce strict vendor access controls, require multifactor authentication for all third‑party connections, and segment vendor networks from critical assets. Regularly patching third‑party software (prioritizing CVEs with known exploit code) and monitoring for anomalous data transfers can reduce risk. Organizations should also review incident‑response plans to include ransomware negotiation scenarios and maintain offline backups to mitigate double‑extortion threats. Watch for updates from the banks’ investigations and any potential data leak publications by Everest in the coming week.