Customers sue Citizens, Frost over third-party data breach

• Key insight: Both banks blame the breach on an unnamed third-party vendor. The lawsuits target the banks anyway.
• What's at stake: One Citizens complaint goes beyond damages and asks the court to declare the bank's current data security inadequate.
• Supporting data: Ransomware group Everest claimed it stole 3.4 million records from Citizens and more than 250,000 Social Security numbers from Frost.

Overview bullets generated by AI with editorial review

Customers of Citizens Bank and Frost Bank initiated six proposed class action lawsuits last week, accusing both lenders of failing to protect customer data after a breach at a third-party vendor.

Plaintiffs filed four federal complaints against Citizens in U.S. District Court for the District of Rhode Island. Two more filed state-court petitions against Frost in Bexar County, Texas.

None of the six complaints names the vendor. All six name the bank.

A spokesperson for Citizens Bank told American Banker on Tuesday that "in our view the claims contained within these suits are generally inaccurate."

Asked whether anything had changed on a possible cybersecurity incident disclosure to the Securities and Exchange Commission, or SEC, the Citizens spokesperson said there was nothing to add.

Ransomware group Everest claimed earlier this month it had stolen 3.4 million records from Citizens and more than 250,000 Social Security numbers from Frost.

Citizens attributed the incident to a third-party vendor in an April 21 statement. Frost issued a similar statement the next day. Both said their own networks had not been breached.

A Frost spokesperson said previously the bank received a notification of unauthorized access to a vendor's systems that "may have included Frost customer data," and that early findings indicate the incident "may be related to recent claims made by cybercriminals."

Inside the complaints

All six complaints accuse the banks of negligence and breach of implied contract for failing to safeguard customer information including names, addresses, Social Security numbers and financial account information. Most also plead negligence and unjust enrichment, and one alleges breach of fiduciary duty.

The affected customers say the failures expose them to identity theft and fraud.

A Citizens spokesperson said previously that the compromised data does not contain Social Security numbers.

The most detailed of the four Citizens cases lists six filenames Everest claims to have leaked, including "CZ doc track data table" and "PPQA AOS letter data table."

Adam Darrah, vice president of Intelligence at ZeroFox, told American Banker last week that the affected vendor appears to handle statement printing for Citizens and tax document fulfillment for Frost. The file names cited in the Citizens lawsuit fit that pattern.

That same complaint also quotes Citizens' own Consumer Privacy Notice, in which the bank promises customers it uses "security measures that are designed to comply with applicable law," including "computer safeguards and secured files and buildings."

Another complaint against Citizens asks the court to declare that the bank's current data security remains inadequate, beyond seeking damages.

The named plaintiff in that case, Andrew Hennig, is a Citizens mortgage customer and a former Citizens branch manager in New Jersey. The complaint says the breach affected current and former Citizens employees alongside customers, an unusual reach for a data-breach class action.

Two Texas residents brought the Frost petitions. William B. Federman of Federman & Sherwood, an Oklahoma City firm that files data-breach class actions at high volume, represents both.

Both class definitions in Texas sweep broadly, covering "all persons whose Private Information were compromised." Neither petition specifies how many people might be in the class.

One of the petitions alleges Everest "compromised over 380 gigabytes of files and millions of database records," citing the third-party tracker dailydarkweb.net rather than Frost itself.

That same petition alleges the stolen data includes credit card information and passport numbers, categories that neither Frost nor Everest's leak-site listing has named.

It also says the customer has canceled his debit card "at least four times" because of "unrecognized charges" and has seen an increase in spam communications since the breach.

What the public record still doesn't say

Neither the banks nor the complaints against them have named the vendor.

Frost has not filed a notification with the Texas Attorney General's office, whose database tracks breaches affecting 250 or more state residents. The 30-day clock for such a filing, starting from Frost's stated April 20 discovery, would run to roughly May 20.

Likewise, neither bank has filed a public disclosure of a material cybersecurity incident with the SEC.

The SEC's cybersecurity disclosure rules give a public company four business days to file an 8-K once it determines a cybersecurity incident is material to investors. The clock starts at that determination, not at discovery of the incident.

The rules require companies to make the determination "without unreasonable delay" after discovery but set no hard deadline.

Citizens' April 21 statement said the incident affected only "a limited set of information for a small number of customers," consistent with a determination that the incident is not material to investors and that no 8-K filing is required.