<\/p>\n
Overview bullets generated by AI with editorial review<\/i><\/p>\n
Processing Content<\/p>\n
Ransomware group Everest recently claimed it stole 3.4 million records from Citizens Bank and 250,000 Social Security numbers from Frost Bank.<\/p>\n
On Tuesday, the day after Everest listed the two banks as victims, Citizens issued a statement attributing the incident to a third-party vendor. Frost provided American Banker a similar statement on Wednesday. Neither bank has named the compromised vendor.<\/p>\n
The data samples on Everest’s site suggest a single third-party compromise affected both banks, according to Adam Darrah, vice president of Intelligence at ZeroFox. The affected vendor appears to handle statement printing for Citizens and tax document fulfillment for Frost, Darrah told American Banker.<\/p>\n
The samples do not suggest Everest reached internal systems at either bank, Darrah said.<\/p>\n
The breach is yet another example of an attack on an outsourced vendor, affecting multiple banks in the fallout. In this case, the attack affects statement printing and tax-document outsourcing, which is common in banking and concentrated among a handful of large vendors.<\/p>\n
ZeroFox has previously assessed that Everest likely overstates the volume and sensitivity of the data it claims to hold. So, the breach also serves as a case study in how banks calibrate their public response when the group claiming the breach has a documented record of overstating its plunder.<\/p>\n
In its A spokesperson for Citizens did not directly respond to Everest’s claim that it had stolen 3.4 million records from the bank. The spokesperson told American Banker that the compromised data does not contain Social Security numbers.<\/p>\n Likewise, a spokesperson for Frost did not directly address Everest’s claim that it had more than 250,000 Social Security numbers and taxpayer identification numbers stolen from the bank.<\/p>\n The Frost spokesperson said the bank received a notification from a third-party vendor about unauthorized access to the vendor’s systems that “may have included Frost customer data.” Early findings indicate the incident “may be related to recent claims made by cybercriminals,” the spokesperson said.<\/p>\n Frost has engaged external cybersecurity experts and has no evidence of unauthorized access to its own network, the spokesperson added.<\/p>\n The spokesperson did not directly address Everest’s claim that the group had stolen more than 250,000 Social Security numbers and taxpayer identification numbers from the bank.<\/p>\n A single shared vendor compromise is the most likely explanation for the samples Everest has posted, Darrah said. The alternative scenario, in which two vendors in the same category were hit in a coordinated operation, is possible but less likely.<\/p>\n “The appearance of document-production-specific data in two banks within a single posting is probably not a coincidence,” Darrah said.<\/p>\n Several gaps in the public record remain. Neither bank has named the vendor. A Citizens spokesperson referred the question of whether it shares the vendor with Frost to Frost itself. A Frost spokesperson did not address the question.<\/p>\n Neither bank has publicly reconciled its framing with the specific counts in Everest’s claim. Frost has not said whether it confirms or disputes the claim outright. Neither bank has said whether it has notified its federal banking regulators.<\/p>\n Neither bank is new to a vendor-involved incident. Frost The scale of what Everest is now claiming would represent a different order of magnitude.<\/p>\n The Everest ransomware and extortion group emerged in December 2020. An Everest shifted from pure double-extortion ransomware (encrypting a victim’s data and threatening to leak it publicly unless a ransom is paid) to a mix of data extortion and so-called initial access brokering (selling stolen access to other criminal groups) starting in late 2021 and specializing by 2023, the profile said.<\/p>\n The group has also run a program offering cash to corporate insiders in exchange for remote access, according to the HHS analysis.<\/p>\n Everest has likely exaggerated the quantity and quality of its alleged victim data and in some cases fabricated it entirely, ZeroFox concluded in In the case of Citizens and Frost, the specifics of Everest’s claim (250,000-plus Social Security numbers and taxpayer identification numbers from Frost and 3.4 million banking records from Citizens) remain unverified.<\/p>\n The group is currently threatening to publish the stolen files on April 25.<\/p>\n<\/div>\nWhat we do and do not know<\/h2>\n
Everest and its credibility problem<\/h2>\n