Everest Ransomware Hits Frost & Citizens Banks: A Saudi TPRM Wake-Up Call

On April 20, 2026, the Everest ransomware gang listed two US financial institutions — Frost Bank and Citizens Financial Group — on its dark web leak site, with a six-day countdown to public dump. Within days, both banks confirmed the data did not come from their own networks. It came from a single shared third-party vendor. For SAMA-regulated banks in Saudi Arabia, this incident is a textbook stress test of the controls in SAMA CSCC Domain 4 — Third Party Cybersecurity.

What Happened: The Vendor as the Weakest Link

According to disclosures from both banks and reporting by Cybernews and SC Media, Everest claims approximately 250,000 Frost Bank client records — including Social Security numbers, tax IDs, mortgage rates, and income data — alongside 3.4 million Citizens Bank records pulled from what appears to be a SQL database dump. Citizens has stated most of the exposed records were "masked test data," but the underlying chain of custody is the same in both cases: a vendor handling statement printing for Citizens and tax document fulfillment for Frost was breached, and the customer data flowed downstream to the attacker. Two class action lawsuits were filed in the US District Court of Rhode Island within four days.

Why Everest's Tactics Matter for SAMA Banks

Everest is a data-extortion-first group. Like Cl0p and RansomHub, the operators prioritize exfiltration over encryption, leveraging trusted file-transfer and document-processing vendors as initial access points. The pattern is consistent: identify a service provider with privileged access to multiple high-value customers, compromise it once, and monetize many breaches simultaneously. This is the same playbook used against MOVEit, Cleo, and GoAnywhere customers in prior years. Saudi banks rely on a comparable web of providers — statement print houses, KYC/AML processors, ATM service vendors, BPO call centers, and SaaS analytics platforms — all of which hold or transit production-grade customer PII.

Impact on Saudi Financial Institutions

SAMA CSCC explicitly addresses this scenario. Domain 4.2 (Third Party Cyber Security) requires regulated entities to assess, contractually obligate, and continuously monitor cyber security posture across the vendor lifecycle. NCA ECC control 2-15 mirrors this for non-financial regulated entities, while PDPL Article 31 imposes joint controller obligations whenever a processor handles personal data. A single Saudi-licensed bank can have hundreds of active third-party data-processing relationships. If Everest — or any of its affiliates — landed on a vendor used by Al Rajhi, SNB, Riyad Bank, or a Tier-2 bank, the resulting incident would be reportable under SAMA's 72-hour cyber incident notification window, would trigger PDPL data-subject notifications, and would expose the bank to civil claims under Saudi Arabia's evolving consumer protection regime.

Recommendations and Practical Steps

1. Inventory critical data-processing vendors. Build a single source of truth listing every third party with access to customer PII, transaction data, or production credentials — including print bureaus, document fulfillment, and shadow SaaS used by business lines.
2. Apply tiered due diligence. Map vendors against SAMA CSCC 4.2.1 risk tiers. Tier-1 vendors (those handling unmasked production data) require independent attestations: SOC 2 Type II, ISO 27001, PCI-DSS where applicable, and recent penetration test reports.
3. Demand contractual right-to-audit and breach notification clauses. Contracts must require notification within 24–48 hours of any suspected incident — well inside SAMA's 72-hour clock to regulators.
4. Continuously monitor vendor attack surface. Use external attack surface management to track exposed Everest-style entry points: unpatched MFT platforms, exposed RDP, and leaked credentials on dark web markets.
5. Reduce data exposure at the source. Tokenize, mask, or pseudonymize data before it leaves your perimeter. The vendor in the Frost/Citizens case held raw records; tokenization would have reduced the breach to operational disruption rather than mass PII exposure.
6. Run a tabletop on vendor compromise. Test your incident response plan against the specific scenario of a critical vendor being listed on a leak site by a group like Everest, Cl0p, or RansomHub.
7. Validate exit and data-destruction clauses. Stale vendor relationships are an underestimated risk. CSCC 4.2.4 requires documented evidence of data return or destruction at end-of-contract.

Conclusion

The Frost Bank and Citizens Financial breaches did not require attackers to defeat a single bank's perimeter, EDR stack, or fraud platform. They required attackers to compromise one weakly-secured vendor that already had the data. Saudi banks operating under SAMA CSCC, NCA ECC, and PDPL face the same structural exposure. Closing this gap is not a procurement issue — it is a board-level cyber resilience issue that demands continuous vendor visibility, contract enforcement, and data-minimization architecture.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment focused on third-party risk management and CSCC Domain 4 readiness.