Everest Ransomware Breaches TSYS and Two Major Banks Through a Single Vendor

In April and May 2026, a single ransomware operation demonstrated exactly why third-party risk management isn't a checkbox exercise. The Everest ransomware group didn't need to breach Citizens Financial Group, Frost Bank, or payment giant TSYS directly — they compromised one shared vendor and walked away with 3.6 million records, Social Security numbers, mortgage data, and payment processing intelligence. For any CISO in Saudi Arabia's SAMA-regulated financial sector, this is the scenario that keeps you awake at night.

How Everest Exploited the Third-Party Blind Spot

The attack chain was brutally efficient. Rather than attempting to penetrate the perimeter defenses of well-resourced financial institutions, Everest targeted a third-party vendor that handled statement printing for Citizens Financial and tax document fulfillment for Frost Bank. This vendor had legitimate access to sensitive customer data from both institutions — full names, home addresses, account numbers, Social Security numbers, tax identification numbers, and mortgage interest rates. By April 20, 2026, Everest listed both banks on its dark-web extortion portal, claiming 3.4 million records from Citizens and 250,000 from Frost. Both banks confirmed the incident within 48 hours, attributing it to the third-party vendor and insisting their own networks remained uncompromised.

Two weeks later, on May 2, 2026, Everest struck again — this time listing TSYS (Total System Services), a payment processing subsidiary of Global Payments headquartered in Columbus, Georgia. TSYS processes transactions for thousands of financial institutions worldwide. While the company has not publicly confirmed the breach, the pattern is consistent: Everest targets organizations embedded deep in the financial supply chain, where a single compromise yields access to data from dozens or hundreds of downstream clients.

Everest's Playbook: Data Theft First, Encryption Second

Everest operates as a ransomware-as-a-service (RaaS) platform, but their operational model has evolved significantly from the encrypt-and-extort playbook of 2023-era groups. Like Cl0p and RansomHub, Everest prioritizes data exfiltration before deploying encryption payloads. The group exploits trusted file-transfer platforms and vendor access channels to siphon sensitive data quietly — often dwelling in compromised environments for weeks before revealing their presence. This approach maximizes leverage: even if a victim can restore from backups, the threat of public data exposure forces negotiation. Median ransom demands against financial services organizations have reached a record $3 million in 2026, and Everest's targeting of payment processors suggests they understand exactly how to apply pressure where it hurts most.

Why This Matters for Saudi Financial Institutions

Saudi Arabia's financial sector relies heavily on third-party service providers — from payment processing and core banking systems to document management, cloud hosting, and managed security services. SAMA's Cyber Security Framework (CSCC) explicitly addresses third-party risk under Domain 3 (Third Party Cybersecurity), requiring regulated entities to assess, monitor, and enforce cybersecurity controls across their vendor ecosystem. Yet the Everest campaign exposes a gap that many institutions still struggle with: the difference between assessing a vendor's security posture at onboarding and continuously validating it throughout the relationship.

Consider a Saudi bank that outsources statement printing or document archiving to a regional vendor. That vendor has legitimate access to customer PII, account details, and transaction records. If that vendor's environment is compromised, the bank's own perimeter security is irrelevant — the data is already outside the castle walls. NCA's Essential Cybersecurity Controls (ECC) reinforce this with controls ECC-1 and ECC-2 mandating supply chain risk assessment, while PDPL (Saudi Personal Data Protection Law) imposes direct liability on data controllers for breaches involving processors who handle personal data on their behalf.

The TPRM Gap: Assessment vs. Continuous Monitoring

Most financial institutions perform vendor security assessments during procurement — questionnaires, SOC 2 report reviews, maybe a penetration test. But the Everest campaign demonstrates that point-in-time assessments are insufficient against persistent threat actors. The vendor that handled Citizens' statement printing likely passed its initial security review. The question is whether anyone was monitoring its environment for indicators of compromise six months later.

Effective Third-Party Risk Management (TPRM) in 2026 requires continuous monitoring capabilities: automated scanning of vendor-exposed attack surfaces, real-time threat intelligence feeds that flag when a vendor appears on ransomware leak sites, contractual rights to conduct surprise audits, and incident notification SLAs measured in hours rather than days. SAMA CSCC Domain 3.2 specifically requires "continuous monitoring of third-party cybersecurity risks," but translating that requirement into operational capability remains a challenge for many institutions.

Practical Recommendations for Saudi Financial Sector CISOs

1. Tier your vendors by data sensitivity. Not every vendor needs the same scrutiny. Classify vendors into tiers based on the sensitivity and volume of data they access. Statement printers, tax document processors, and payment intermediaries handling customer PII belong in Tier 1 — subject to the most rigorous controls and monitoring.
2. Implement continuous attack surface monitoring. Deploy external attack surface management (EASM) tools that continuously scan your critical vendors' internet-facing assets. Services like SecurityScorecard, BitSight, or Recorded Future provide automated risk scoring and alert when a vendor's posture degrades.
3. Enforce contractual incident notification SLAs. Your vendor contracts must include breach notification requirements aligned with PDPL's 72-hour notification window. For Tier 1 vendors, negotiate 24-hour notification obligations with defined escalation paths.
4. Conduct tabletop exercises with vendor scenarios. Run incident response tabletops specifically simulating a vendor breach. Test whether your team can identify which vendor has access to what data, trigger containment procedures, and notify SAMA within required timeframes.
5. Deploy data loss prevention (DLP) on vendor access channels. Monitor and control data flows to and from third-party environments. Implement just-in-time access provisioning, ensuring vendors access only the minimum data necessary for their contracted function.
6. Audit vendor access quarterly. Review and re-certify all vendor access to production environments, databases, and file shares every quarter. Revoke access for vendors whose contracts have ended or whose services have changed.

Conclusion

The Everest ransomware campaign against TSYS, Citizens Financial, and Frost Bank is not an isolated incident — it is the culmination of a trend that has been accelerating throughout 2025 and 2026. Ransomware operators have learned that the path of least resistance into well-defended financial institutions runs through their vendors. For Saudi financial institutions operating under SAMA, NCA, and PDPL mandates, third-party risk management must evolve from a procurement-phase checkbox into a continuous, operationalized security function. The cost of getting this wrong is measured in millions of exposed records, regulatory penalties, and irreparable trust damage.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment — including a full evaluation of your third-party risk management program against SAMA CSCC Domain 3 requirements.