What happened
Frost Bank, San Antonio’s largest bank, is facing two proposed class-action lawsuits following a cyberattack attributed to the Everest ransomware group that allegedly exposed the sensitive personal data of an estimated 109,000 customers. The bank has not publicly confirmed the scope of the breach or reported it to the Texas Attorney General’s Office, which tracks disclosures required under state law within 30 days of discovery for breaches affecting 250 or more residents.
Frost Bank has acknowledged being notified by a third-party vendor of unauthorized access to the vendor’s systems that may have included Frost customer data. The bank stated there is no evidence of unauthorized access to the Frost network itself and that early findings suggest the incident may be related to recent claims made by cybercriminals. Outside cybersecurity experts have been engaged to assist with the investigation.
The lawsuits characterize the incident differently, alleging that hackers accessed Frost customer data and may have stolen hundreds of gigabytes of information including Social Security numbers, financial account details, and contact information. The complaints accuse the bank of failing to implement adequate cybersecurity measures and of delaying notification to affected customers. Each suit seeks more than $1 million in damages. Everest, the group linked to the attack, is described by federal health officials as targeting US organizations and operating within Russian-speaking cybercriminal networks.
Who is affected
An estimated 109,000 Frost Bank customers face potential exposure of Social Security numbers, financial account information, and contact details, based on the lawsuit filings. The bank has not independently confirmed that figure or issued public notification. Customers who have not yet received direct notification remain in an uncertain position regarding the scope and nature of their exposure.
Why CISOs should care
The Frost Bank situation presents a pattern that security and legal teams at financial institutions should examine closely. A third-party vendor breach became the entry point for a claimed large-scale customer data exposure, the bank’s characterization of the incident differs significantly from the lawsuits’ allegations, and the absence of a Texas AG disclosure despite state law requirements adds a regulatory dimension to what is already a litigation-heavy situation.
For security leaders, the third-party vendor angle is the most operationally relevant. Frost Bank’s position that its own network was not breached does not reduce the exposure of customer data held or processed by a vendor. The legal and reputational consequences fall on the institution regardless of where the breach occurred.
3 practical actions
- Audit what customer data, including Social Security numbers and financial account details, is accessible to third-party vendors and under what security requirements: The Frost Bank incident followed a vendor breach rather than a direct network intrusion. Map which vendors hold or can access sensitive customer data and confirm that contractual security requirements, access controls, and audit rights are proportional to the sensitivity of that data.
- Review state breach notification obligations and ensure disclosure timelines are tracked from the moment a vendor notifies you of a potential incident: Texas law requires notification within 30 days for breaches affecting 250 or more residents. The clock on that obligation does not wait for a forensic investigation to conclude. Establish internal protocols that trigger the notification assessment immediately upon receiving a vendor breach notification, not after the investigation is complete.
- Prepare for litigation as a parallel workstream when a breach involves third-party vendor exposure: The Frost Bank lawsuits were filed before the bank had publicly confirmed the scope or nature of the breach. Legal counsel, document preservation, and communications management should be activated in parallel with forensic investigation whenever a potential breach involves customer PII at scale.
Also in the news today:
- Ubuntu and Canonical Web Services Hit by DDoS Attack
- Microsoft Defender Mistakenly Flags DigiCert Root Certificates as Malware
- Threat Actors Use AI to Automate Zero-Day Discovery and Exploitation at Machine Speed
- Salt Typhoon Suspected in Breach of IBM Italy Subsidiary Managing Public Infrastructure
- Sandhills Medical Foundation Ransomware Breach Draws Class Action Investigation Nearly a Year Later
- Telegram Mini Apps Abused for Crypto Scams and Android Malware Delivery
