Frost Bank, San Antonio's largest bank, is facing two proposed class-action lawsuits after a cyberattack attributed to the Everest ransomware group allegedly exposed the personal data of roughly 109,000 customers. The intrusion reportedly began at a third-party vendor, and the bank has not yet publicly confirmed the scope of the incident or filed disclosure with the Texas Attorney General's Office.
What Happened
Frost Bank acknowledged being notified by a third-party vendor of unauthorized access to the vendor's systems, which may have included Frost customer data. The bank maintains there is no evidence of unauthorized access to its own network and that early findings suggest a possible link to recent claims made by cybercriminals. Outside cybersecurity experts have been engaged to support the investigation.
Two proposed class-action lawsuits tell a more aggressive story, alleging that hackers accessed Frost customer data and may have exfiltrated hundreds of gigabytes of information. Each suit seeks more than $1 million in damages, accusing the bank of failing to implement adequate cybersecurity controls and of delaying notification to affected customers. The Everest ransomware group, linked by federal health officials to Russian-speaking cybercriminal networks, has been tied to the attack.
What Was Taken
According to the lawsuit filings, the exposed data set may include:
- Social Security numbers
- Financial account details
- Customer contact information
Plaintiffs estimate roughly 109,000 individuals are affected and allege hundreds of gigabytes of data were stolen. Frost Bank has not independently confirmed these figures, and customers who have not received direct notification remain unsure of the scope of their exposure.
Why It Matters
This incident illustrates how a vendor compromise can produce institution-level liability and reputational damage even when the targeted organization's own network remains intact. Frost's public position that its perimeter was not breached does not insulate it from class-action exposure, regulatory scrutiny, or customer harm. The data still belongs to Frost customers, and so does the accountability.
The regulatory angle compounds the legal one. Texas law requires notification to the state Attorney General within 30 days of discovery for breaches affecting 250 or more residents. The absence of such a filing, while plaintiffs allege a six-figure victim count, places Frost in a difficult posture as both lawsuits and potential regulatory inquiries proceed in parallel.
The Attack Technique
The intrusion vector is a third-party vendor compromise rather than a direct attack on Frost Bank infrastructure. Everest, the group linked to the breach, is a financially motivated extortion operation known for data theft and pressure-based monetization, often publishing or threatening to publish stolen data on its leak site when demands are not met. The specific vendor, exploit, and initial access vector have not been publicly disclosed. The pattern is consistent with the broader trend of ransomware affiliates targeting service providers and processors that hold downstream customer data on behalf of larger, better-defended institutions.
What Organizations Should Do
- Inventory all third parties that store, process, or transmit customer data and rank them by sensitivity and volume of records held.
- Require vendors to contractually commit to rapid breach notification timelines that align with applicable state and federal disclosure deadlines.
- Validate vendor security posture through independent assessments, SOC 2 review, and targeted questionnaires focused on ransomware resilience and data segmentation.
- Establish a vendor incident playbook that defines internal escalation, legal review, regulator notification, and customer communication workflows the moment a vendor reports unauthorized access.
- Monitor known ransomware leak sites, including Everest's, for mentions of your organization or your vendors, and integrate findings into incident response triggers.
- Reduce data shared with vendors to the minimum necessary, and tokenize or encrypt sensitive identifiers such as SSNs and account numbers before they ever leave your environment.