Frost Bank hit with class-action suits over breach exposing data | #ransomware | #cybercrime

Frost Bank is facing two proposed class-action lawsuits alleging the bank failed to adequately protect customer data following a cyberattack attributed to a prominent ransomware group.

Both complaints stem from an alleged breach this month in which hackers accessed Frost Bank’s systems and stole customers’ sensitive personal information.

Bill Day, a Frost Bank spokesman, said the bank does not comment on pending litigation but was recently notified by a third-party vendor of unauthorized access to the vendor’s systems that may have included Frost customer data. The bank has engaged cybersecurity experts to assist with an investigation.

“Early findings indicate that the incident may be related to recent claims made by cybercriminals,” Day said. “At this time, there is no evidence of unauthorized access to the Frost network. Customers can be reassured they’re able to safely use all Frost services.” 

ANOTHER ATTACK: Data breach hits Humana customers in Texas, five other states

The lawsuits, however, characterize the incident differently, attributing the attack to a ransomware group known for targeting major organizations and using data-extortion tactics, threatening to leak stolen information unless victims pay.

Federal health officials have warned that the group, known as Everest, targets U.S. organizations and may gain access through compromised accounts or sell that access to other cybercriminals. Everest is part of a broader ecosystem of cybercriminal groups, many of which operate in Russian-speaking networks.

Cybersecurity reports have linked Everest to attacks across multiple industries, though many of the group’s claims are difficult to independently verify.

The complaints accuse San Antonio’s largest bank of failing to implement adequate cybersecurity measures and delaying notification to affected customers, leaving them vulnerable to identity theft and fraud. Each suit seeks more than $1 million in damages.

The suits were filed by customers Javier Hinojosa of Amarillo and Renard Donaie of Baytown, who seek to represent others affected by the breach. William Federman, a Dallas lawyer who represents them, did not immediately respond to a request for comment.

READ MORE: Frost Bank continues to post strong returns from ongoing branch expansion in Texas

One of the lawsuits estimates that about 109,000 people may have been affected, though Frost Bank has not publicly disclosed the scope of the breach.

Frost Bank has not reported the breach to the Texas Attorney General’s Office, according to the agency’s public database, which tracks disclosures required under state law.

Texas law generally requires companies to report certain data breaches within 30 days of discovering them, if at least 250 residents are affected.

The breach exposed highly sensitive data, including Social Security numbers, financial account information and contact details, according to the lawsuits. One of the complaints, citing cybersecurity reports, alleges hackers may have stolen hundreds of gigabytes of data.

Frost Bank failed to promptly notify affected customers of the breach, the lawsuits allege, potentially delaying their ability to protect against fraud.

The complaints warn that the stolen data could be sold or circulated online, exposing affected customers to long-term risks of identity theft and fraud.