What Happened to Citizens Bank Data Breaches and Security Incidents?
Citizens Bank, primarily referring to Citizens Financial Group, has faced multiple data security incidents, most notably a significant event in April 2026 where the Everest ransomware group claimed to have exfiltrated 3.4 million records from a third-party vendor. While Citizens Financial Group confirmed a vendor-related incident involving a limited set of customer information, they denied unauthorized access to their own network, leading to immediate class-action lawsuits. Other incidents include a 2024 insider wrongdoing event, a 2025 email breach at 'The Citizens Bank' of South Carolina, and a 2023 network breach at 'Citizens Bank of West Virginia'.
Quick Answer
In April 2026, Citizens Financial Group confirmed a data security incident stemming from a third-party vendor, after the Everest ransomware group claimed to have stolen 3.4 million records. The bank stated that most of the extracted data was masked test data, with a limited amount of actual customer information involved, and maintained that its core network was not compromised. This incident quickly led to multiple class-action lawsuits filed against Citizens Bank. Separately, 'The Citizens Bank' of South Carolina experienced an email environment breach in June 2025, and 'Citizens Bank of West Virginia' reported a network breach in November 2023, affecting thousands of customers with sensitive personal information. Citizens Financial Group also disclosed an insider wrongdoing incident in December 2024 affecting over 8,300 individuals.
📊Key Facts
📅Complete Timeline12 events
Citizens Bank of West Virginia Network Accessed
An unauthorized third party gained access to Citizens Bank of West Virginia's network through a trusted vendor connection, initiating a period of data acquisition.
Citizens Bank of West Virginia Discovers Breach
Citizens Bank of West Virginia discovered that an unknown, unauthorized third party had accessed and encrypted some of its network files.
Citizens Bank of West Virginia Identifies Compromised Data
The bank determined that files acquired by the unauthorized third party contained personal information, including names, Social Security numbers, addresses, and driver's license numbers.
Citizens Bank of West Virginia Reports Breach
Citizens Bank of West Virginia publicly reported the data breach, affecting 35,105 victims.
Citizens Financial Group Notifies Customers of Insider Incident
Citizens Financial Group began mailing notifications to 8,358 consumers affected by an 'insider wrongdoing' incident that exposed account numbers, Social Security numbers, and dates of birth.
Citizens Financial Group Inadvertent Disclosure
An 'inadvertent disclosure' incident occurred at Citizens Bank (Johnston, RI), affecting 12 individuals with names and other personal identifiers.
The Citizens Bank (SC) Discovers Email Breach
The Citizens Bank, a community bank in South Carolina, became aware of suspicious activity in its email environment, which was later determined to have been accessed between June 12-14, 2025.
The Citizens Bank (SC) Breach Details Emerge
Details of The Citizens Bank (SC) breach were published, revealing exposure of Social Security numbers, financial account information, and other highly sensitive data.
Everest Ransomware Group Claims Citizens Bank Breach
The Everest ransomware group publicly listed Citizens Financial Group on its dark web leak site, claiming responsibility for a cyberattack and the theft of approximately 3.4 million records.
Citizens Financial Group Confirms Third-Party Vendor Incident
Citizens Financial Group issued a statement confirming an 'incident involving data extracted from a third-party vendor,' noting that most was masked test data, but a limited set of customer information was involved. They denied a breach of their own network.
Class-Action Lawsuits Filed Against Citizens Financial Group
Multiple class-action lawsuits were filed against Citizens Financial Group in federal court following the Everest ransomware group's claims, alleging negligence in data protection.
Everest Ransomware Group Data Release Deadline
The Everest ransomware group's stated deadline for publicly releasing the allegedly stolen data from Citizens Financial Group and Frost Bank, if a ransom is not paid, is set for this date.
🔍Deep Dive Analysis
The term 'Citizens Bank data breach' refers to a series of distinct security incidents affecting different financial institutions operating under the 'Citizens Bank' name, with the most recent and prominent event involving Citizens Financial Group, N.A.
In April 2026, Citizens Financial Group, a major U.S. bank, became the subject of a high-profile data security incident. The Everest ransomware group publicly claimed responsibility, listing Citizens Bank on its dark web leak site on April 20, 2026, and alleging the exfiltration of approximately 3.4 million records. The group also issued a six-day ultimatum for the banks to pay a ransom before publicly releasing the stolen data. Citizens Financial Group confirmed an 'incident involving data extracted from a third-party vendor' by a known threat actor. The bank clarified that 'most of this was masked test data, although a very limited set of customer information was involved,' and asserted there was 'no evidence of unauthorized access to the Citizens network' itself. Despite the bank's assurances, multiple class-action lawsuits were filed against Citizens Bank on April 22, 2026, alleging negligence and failure to protect sensitive personal and financial information, including names, addresses, and account numbers.
Prior to this, in December 2024, Citizens Financial Group had notified 8,358 consumers about a data breach attributed to 'insider wrongdoing.' This incident reportedly exposed sensitive information such as account numbers, Social Security numbers, dates of birth, and other identification details. Additionally, in March 2025, Citizens Bank (Johnston, RI, referring to Citizens Financial Group) reported a smaller 'inadvertent disclosure' affecting 12 individuals, which involved names and other personal identifiers.
Separately, 'The Citizens Bank,' a community bank based in Olanta, South Carolina, experienced its own data breach in June 2025. The bank discovered suspicious activity in its email environment between June 12 and June 14, 2025. An investigation revealed that unauthorized parties may have accessed or potentially accessed files containing extensive sensitive information, including Social Security numbers, financial account information, payment card information, driver's license numbers, taxpayer identification numbers, medical information, and passport numbers. The bank offered complimentary credit monitoring services to affected individuals.
Another distinct entity, 'Citizens Bank of West Virginia,' reported a data breach in November 2023. The bank discovered on November 27, 2023, that an unauthorized third party had accessed its network through a trusted vendor connection between November 15 and November 27, 2023, and acquired certain files. This incident affected 35,105 victims, with compromised data including full names, Social Security numbers, addresses, and driver's license numbers. Law enforcement was notified, and the threat actor group responsible was reportedly disrupted.
The recurring theme across several of these incidents, particularly the major April 2026 event, is the compromise of third-party vendors, highlighting a significant vulnerability in the financial sector's supply chain security. While Citizens Financial Group has emphasized that its internal networks were not directly breached in the 2026 incident, the reliance on external service providers remains a critical point of exposure for sensitive customer data. The ongoing legal actions and the threat of public data release underscore the severe consequences and reputational damage associated with such breaches.
What If...?
Explore alternate histories. What if Citizens Bank Data Breaches and Security Incidents made different choices?