Citizens Bank Hit by Ransomware Attack, 3.4 Million Records Exposed
On April 20, 2026, the Everest ransomware gang listed Citizens Bank, N.A. on its dark web leak site, claiming to have stolen approximately 3.4 million customer records. The breach, which also affected Texas-based Frost Bank, involved sensitive financial data, including names, home addresses, and account numbers.
The hackers employed a common extortion tactic, giving the banks six days before publicly releasing the stolen data unless a ransom was paid. Citizens Bank, a subsidiary of Citizens Financial Group, operates across 14 states and Washington, D.C., serving customers in the Northeast, Mid-Atlantic, and Midwest.
National class action law firm Edelson Lechtzin LLP has launched an investigation into potential legal claims on behalf of affected individuals, who may face heightened risks of identity theft and fraud. The firm is offering free case evaluations to those who received breach notifications from Citizens Bank.
The incident underscores the growing threat of ransomware attacks targeting financial institutions, with cybercriminals increasingly leveraging stolen data for extortion. No further details on the breach’s origin or the banks’ response have been disclosed.
Citizens Savings Bank and Trust Company (Member FDIC) cybersecurity rating report: https://www.rankiteo.com/company/citizensbank1904
Frost cybersecurity rating report: https://www.rankiteo.com/company/frostbank
"id": "CITFRO1776918350",
"linkid": "citizensbank1904, frostbank",
"type": "Ransomware",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '3.4 million',
'industry': 'Financial Services',
'location': 'Northeast, Mid-Atlantic, and Midwest (14 '
'states and Washington, D.C.)',
'name': 'Citizens Bank, N.A.',
'type': 'Bank'},
{'industry': 'Financial Services',
'location': 'Texas',
'name': 'Frost Bank',
'type': 'Bank'}],
'customer_advisories': 'Free case evaluations offered to affected individuals',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '3.4 million',
'personally_identifiable_information': ['Names',
'Home addresses',
'Account numbers'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Sensitive financial data'},
'date_publicly_disclosed': '2026-04-20',
'description': 'On April 20, 2026, the Everest ransomware gang listed '
'Citizens Bank, N.A. on its dark web leak site, claiming to '
'have stolen approximately 3.4 million customer records. The '
'breach involved sensitive financial data, including names, '
'home addresses, and account numbers. The hackers employed a '
'common extortion tactic, giving the banks six days before '
'publicly releasing the stolen data unless a ransom was paid.',
'impact': {'data_compromised': '3.4 million customer records',
'identity_theft_risk': 'Heightened risks of identity theft and '
'fraud',
'legal_liabilities': 'Potential class action lawsuits'},
'investigation_status': 'Ongoing (investigation by Edelson Lechtzin LLP)',
'motivation': 'Extortion',
'ransomware': {'data_exfiltration': 'Yes', 'ransomware_strain': 'Everest'},
'references': [{'date_accessed': '2026-04-20',
'source': 'Everest ransomware gang dark web leak site'},
{'source': 'Edelson Lechtzin LLP'}],
'regulatory_compliance': {'legal_actions': 'Potential class action lawsuits'},
'threat_actor': 'Everest ransomware gang',
'title': 'Citizens Bank Hit by Ransomware Attack, 3.4 Million Records Exposed',
'type': 'Ransomware'}