Citizens Bank Data Breach

-


 

Citizens Bank experienced a confirmed data breach in April 2026 tied to a third‑party vendor compromise, with exposed data including customer names, home addresses, and account numbers — while hackers claim they hold up to 3.4 million Citizens records.

Multiple credible reports confirm that Citizens Bank did not suffer a direct network breach. Instead, attackers infiltrated a third‑party vendor that stored Citizens customer data.

  • Citizens publicly acknowledged the incident on April 21, 2026, stating that “most of this was masked test data” and only a limited set of real customer information was involved.

  • Meanwhile, the Everest ransomware gang posted Citizens Bank on its leak site on April 20, 2026, claiming to possess ~3.4 million records.

This discrepancy — Citizens reporting limited exposure vs. Everest claiming millions — is common in extortion campaigns.

Data Exposed

Across verified disclosures and samples posted by attackers, the following data types were involved:

Confirmed by Citizens Bank

  • Names

  • Home addresses

  • Account numbers

Across verified disclosures and samples posted by attackers, the following data types were involved:

Confirmed by Citizens Bank

  • Names

  • Home addresses

  • Account numbers

Claimed by Everest (unverified by Citizens)

  • Full names

  • Home addresses

  • Account numbers

  • Internal document flags

  • No SSNs or TINs were found in samples attributed to Citizens

Important:

Citizens states no evidence of unauthorized access to its internal network and operations remain normal.

Risk Level

Even without SSNs, the exposed data can fuel:

  • Targeted phishing (bank‑themed scams)

  • Account impersonation attempts

  • Fraudulent address‑change or social‑engineering attacks

Everest’s extortion deadline (six days after April 20) increases the likelihood of data being leaked if ransom demands are unmet.

Legal Fallout

Citizens Bank is already facing multiple federal class‑action lawsuits filed in Rhode Island on April 23, 2026. Claims include:

  • Negligence

  • Breach of implied contract

  • Unjust enrichment

  • Breach of fiduciary duty

  • Recklessness

Law firms (e.g., Edelson Lechtzin LLP) are actively investigating and soliciting impacted customers.

Recommended Actions for Customers

Given the nature of the exposed data, the following steps are prudent:

  • Monitor bank accounts for unauthorized activity

  • Enable fraud alerts with credit bureaus

  • Be skeptical of unsolicited calls/emails claiming to be from Citizens Bank

  • Preserve any breach notification letters for legal or monitoring support

  • Consider credit monitoring (Citizens is offering enhanced monitoring to affected customers)


Popular posts from this blog

WSUS CVE-2025-59287 Mitigation

-
Image
CVE-2025-59287 is a critical Remote Code Execution (RCE) vulnerability affecting Windows Server Update Services (WSUS) . Here's a detailed breakdown of what it is, how it works, and what you should do about it: Overview Disclosed: October 2025 Patch Tuesday CVSS Score: 9.8 (Critical) Affected Systems: Windows Server 2012 through 2025 (including Server Core installations) Exploitability: Microsoft rates it as “Exploitation More Likely” Technical Details The vulnerability arises from unsafe deserialization of untrusted data in WSUS. Specifically, the GetCookie() endpoint in WSUS processes encrypted AuthorizationCookie objects without proper type validation. The deserialization occurs via .NET BinaryFormatter , which is known to be insecure when handling untrusted input. Attackers can send a crafted SOAP request to WSUS over port 8530 , containing a malicious AuthorizationCookie . The cookie is decrypted using a hardcoded AES key and then deserialized, allow...
Read more

Cloud Infrastructures are Having a Bad Week

-
Image
  Today’s disruptions across Microsoft Azure and Amazon Web Services (AWS) were significant, but they’re not signs of cloud computing’s demise. Instead, they underscore the risks of centralization and the importance of designing systems that can withstand provider-level failures. What happened today? • Microsoft Azure outage: Azure’s Front Door service suffered a major disruption due to a misconfiguration, impacting services like Outlook, Xbox, Microsoft 365, and even third-party platforms like Starbucks and Alaska Airlines. The Azure website states a little more than disruption. "Azure Front Door - Connectivity issues - Observing recovery Starting at approximately 16:00 UTC on 29 October 2025, customers and Microsoft services leveraging Azure Front Door (AFD) may have experienced latencies, timeouts, and errors. We have confirmed that an inadvertent configuration change was the trigger event for this issue. Affected Azure services may have included, but were not limited to: App S...
Read more

CVE-2025-58034 Fortinet Warnings and Mitigation

-
Image
Type: OS Command Injection vulnerability (CWE-78) Affected Product: Fortinet FortiWeb (Web Application Firewall) Affected Versions: 8.0.0 – 8.0.1 7.6.0 – 7.6.5 7.4.0 – 7.4.10 7.2.0 – 7.2.11 7.0.0 – 7.0.11 [nvd.nist.gov] , [cvedetails.com] Description The vulnerability is caused by improper neutralization of special elements used in OS commands . An authenticated attacker can exploit this flaw by sending crafted HTTP requests or CLI commands , allowing them to execute arbitrary code on the underlying system. This can compromise the integrity, confidentiality, and availability of the device. [nvd.nist.gov] , [cvedetails.com] Severity CVSS v3.1 Base Score: 7.2 (High) Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Impact: High on Confidentiality, Integrity, and Availability [cvedetails.com] Exploitation Status Actively Exploited: Yes. Fortinet confirmed expl...
Read more