Data Breaches

Citizens Bank Hit With Two Federal Lawsuits After Everest Ransomware Attack

Following our initial report on the Everest ransomware group's claims, Citizens Financial Group now faces a dual-front battle as federal litigation arrives in Rhode Island.

PROVIDENCE, RI — The legal fallout from the Everest ransomware group’s alleged breach of Citizens Bank has accelerated with the filing of two separate federal class action lawsuits in the US District Court for the District of Rhode Island. The litigation, filed on April 23, 2026, follows a "data incident via a third-party vendor" that the bank confirmed earlier this week.

The plaintiffs, Betty Lackey and Pamela Caffrey, represent a potentially massive class of customers whose names, Social Security numbers (SSNs), dates of birth, and financial account details were allegedly exposed. While Everest claims to have exfiltrated 3.4 million records, Citizens maintains that the vast majority of the data involved was "masked test data" rather than live production records.

Breach Audit: Litigation Timeline

The speed of these filings — arriving just days after the initial threat actor claim — underscores a new reality in risk management: the litigation window has closed to near-zero.

Incident to Litigation Timeline (April 2026)
Date	Event Details
April 20	Everest ransomware group lists Citizens Bank on its dark web leak site.
April 21	Citizens confirms an incident involving a third-party vendor environment.
April 23	Two federal class actions filed by Jules D’Allessandro and Peter Wasylyk.

Allegations of Negligence

The 34-page and 40-page complaints allege that Citizens failed to implement industry-standard security measures, specifically citing a lack of multi-factor authentication (MFA) and IP-based restrictions on the vendor’s database. Counsel for the plaintiffs argue that the bank breached its fiduciary duty by allowing sensitive PII to remain vulnerable in a non-production environment.

Citizens has pushed back, stating that "operations continue as normal" and that there is no evidence of a compromise within their core internal network. However, the legal focus remains on vendor vulnerability management, a pattern we have seen in other recent systemic fragility incidents.

The CyberSignal Analysis

Signal 01 — The "Masked Data" Defense

Citizens' primary defense rests on the claim that the stolen data was "masked." In data governance terms, if the masking was insufficient or reversible, the bank still faces full liability. The lawsuits will likely force a discovery process to determine if the "test data" was actually pseudonymized production data — a frequent oversight in financial DevOps cycles.

Signal 02 — The Escalation of Vendor Liability

This case highlights the growing trend of "vendor-leaping," where threat actors bypass a bank’s hardened perimeter by targeting softer third-party partners. For CISOs, this means cyber essentials must be enforced not just on partners, but specifically on the testing and staging environments those partners use.

Sources

Type	Source
Legal Report	GoLocalProv: Class Action Details
Threat Intel	DeXpose: Everest Ransomware Claim
Industry News	Morningstar: Legal Investigations
Original Cover	The CyberSignal: Initial Coverage
Archive	ClassAction.org: Case Context

Minimalist white line art of a stylized router silhouette with a white Japanese rising sun icon overlaid on a solid crimson red background.

Tropic Trooper APT Targets Japanese Networks via Router Exploits

China-aligned espionage group G0081 evolves beyond traditional spear-phishing with SOHO router firmware attacks and domain-trust pivoting. TOKYO, JP — The persistent China-aligned threat actor known as Tropic Trooper (G0081) has significantly shifted its operational focus, moving beyond traditional spear-phishing to target Japanese government and critical infrastructure via router exploitation. Recent telemetry

Minimalist white line art of a hospital bed silhouette with a white skull and crossbones icon floating above it, on a solid blood red background.

Idaho Hospital Disrupted on Easter; Blackwater Ransomware Claims 577GB Stolen

Minidoka Memorial Hospital transferred emergency patients after an imaging outage; a new ransomware group demands payment for an alleged 2.3 million files. RUPERT, ID — A quiet Easter morning in rural Idaho was shattered on April 5, 2026, when Minidoka Memorial Hospital (MMH) fell victim to a cyberattack that paralyzed

Minimalist white line art of a military frigate silhouette with a white Bluetooth icon inside a postcard envelope overlaid in the corner, on a solid navy blue background.

$5 Postcard Tracker Compromises $585M Dutch Warship for 24 Hours

Journalist demonstrates naval mail screening flaw by mailing a Bluetooth device to NATO frigate HNLMS Evertsen; envelopes were not X-rayed like standard packages. THE HAGUE, NL — In a staggering demonstration of security asymmetry, a Dutch journalist has exposed a critical physical vulnerability within NATO naval operations. By mailing a $5

Minimalist white line art of a Dutch-style town hall silhouette with a white fingerprint icon overlaid on the center, on a solid orange background.

Personal Data of Entire Dutch Town Stolen in Municipal Cyberattack

The municipality of Epe confirms a massive exfiltration event impacting nearly all 32,000 residents; authorities offer free identity document replacements as theft concerns mount. EPE, NETHERLANDS — The municipality of Epe has officially confirmed that a cyberattack first detected in March 2026 resulted in the theft of personal data belonging