Citizens Bank Data Breach Class Action Lawsuit, Were You a Customer When the Everest Hack Hit?
Prepared by the AllAboutLawyer.com Editorial Team, reviewed for factual accuracy against court filings, official Massachusetts Attorney General breach notification records, and credible news sources on May 18, 2026. Last Updated: May 18, 2026.
Citizens Financial Group Inc. is facing two federal class action lawsuits filed in U.S. District Court in Providence after the ransomware group Everest publicly claimed responsibility for attacking a third-party vendor that held Citizens Bank customer data on or about April 20, 2026. The lawsuits allege the bank failed to protect the personally identifiable information (PII) of potentially millions of current and former customers. No settlement has been reached, and no claim form is open — but if you banked with Citizens, here is exactly what is happening and what your options are right now.
Quick-Facts
| Field | Detail |
| Lawsuit Filed | April 22–24, 2026 |
| Defendant | Citizens Financial Group Inc. / Citizens Bank |
| Alleged Violation | Negligence, breach of implied contract, breach of fiduciary duty, unjust enrichment, recklessness — and duties under the Gramm-Leach-Bliley Act (GLBA) |
| Who Is Affected | Current and former Citizens Bank customers whose personal and financial data was stored by the affected third-party vendor |
| Current Court Stage | Early litigation — lawsuits just filed; no class certification yet |
| Court & Jurisdiction | U.S. District Court for the District of Rhode Island, Providence |
| Lead Law Firms | Jules D’Alessandro (RI); Peter Wasylyk (RI) with national co-counsel |
| Next Hearing Date | TBD — case in earliest stages; no hearing scheduled as of May 18, 2026 |
| Official Case Website | TBD — no official case website established yet |
| Last Updated | May 18, 2026 |
What Is the Citizens Bank Lawsuit About? Hauser v. Citizens Financial Group and Related Actions, U.S. District Court, District of Rhode Island
According to the 34-page complaint filed in U.S. District Court by Rhode Island attorney Jules D’Allesandro, on April 20, 2026, the ransomware group Everest publicly claimed responsibility for a cyberattack against Citizens Bank, infiltrating its systems and exfiltrating sensitive information of potentially millions of current and former customers. The plaintiffs allege the bank violated the Gramm-Leach-Bliley Act — the federal law that requires financial institutions to safeguard customer data — and breached its duty of care by failing to ensure the third-party vendor it relied on had adequate security protections in place.
Citizens Bank attributed the incident to a third-party vendor in an April 21 statement, and the bank stated its own network had not been breached. However, neither Citizens nor the complaints named the specific vendor. The core legal question in this case is whether a bank can escape liability by pointing to a vendor when it is the bank that chose and trusted that vendor with its customers’ most sensitive data. According to American Banker, the affected vendor appears to handle statement printing for Citizens, and the file names cited in the lawsuits fit that pattern.
The plaintiffs allege Citizens Bank’s failure to safeguard, monitor, and protect highly sensitive personal and financial information — including names, addresses, dates of birth, Social Security numbers, and financial account information — and that the bank owed a duty of care to class members to ensure its systems and information technology partners adequately protected that PII. The lawsuits also point to a second complaint seeking a court declaration that Citizens Bank’s current data security remains inadequate — not just monetary damages. Similar data breach class actions — like those covered in our breakdown of the Citizens Bank data breach class action — show how courts are increasingly holding banks accountable even when the direct breach occurred at a vendor.
Related article: Trump Dropped His $10 Billion IRS Lawsuit Here Is the Deal Taking Its Place
Are You Part of the Citizens Bank Class Action Lawsuit?
You are a current or former Citizens Bank customer. You are wondering whether this case includes you. Here is how to find out.
You may be part of this class if:
- You held a checking, savings, mortgage, or other account with Citizens Bank at any point before April 20, 2026
- Your name, address, account number, or other personal information was stored by the third-party vendor involved in the attack
- You received a breach notification letter from Citizens Bank or Citizens Financial Group following the April 2026 incident
- You have seen increased spam, phishing attempts, or suspicious activity on your accounts since April 20, 2026
You are likely NOT included if:
- You have never held any account or financial product with Citizens Bank or Citizens Financial Group
- Citizens Bank’s own position is that the breached data does not include Social Security numbers and that the real customer data exposure was limited to “a small number of customers” — though the lawsuits dispute that characterization sharply
- You bank only with Frost Bank — that institution is named in separate lawsuits filed in Texas, not in this Rhode Island federal case
Citizens Bank dismissed the lawsuit claims as “generally inaccurate” and said there is “no evidence of fraud resulting from this event.” The courts will ultimately determine how many customers were genuinely affected and what data was actually exposed. For a broader look at how data breach class actions work for bank customers, see our guide to consumer class action lawsuits and data breach compensation.
What Are Citizens Bank Plaintiffs Seeking in This Lawsuit?
The plaintiffs are not just asking for money — they are asking the court to force Citizens Bank to change how it handles customer data. Each complaint seeks damages exceeding $5,000,000 and proposes to represent all Citizens Bank customers whose data was exposed.
The lawsuits seek identity theft protection for affected customers, reimbursement for out-of-pocket losses related to the breach, and enhanced cybersecurity measures from the bank going forward — relief that courts in similar data breach cases have increasingly required as a condition of settlement, not just cash payments.
One Citizens complaint goes further than the others, asking the court to declare that the bank’s current data security remains inadequate. No settlement amount exists yet. No class action settlement eligibility calculation is possible at this stage. If the case progresses and a settlement is reached, affected customers will receive notice and instructions on how to file a legal claim for data breach compensation at that time.
What Should You Do If You Were Affected by the Citizens Bank Breach?
You do not need to do anything right now to remain part of the class. If the court certifies a class, you are automatically included as a Citizens Bank customer whose data may have been exposed. However, taking these steps protects you while the case moves forward.
- Watch your mail. On April 28, 2026, Citizens Financial Group disclosed the breach to the Massachusetts Attorney General. Formal notification letters may be arriving or are forthcoming — keep any letter you receive, as it may document your eligibility.
- Monitor your accounts and credit. Plaintiffs allege that as a direct result of Citizens Bank’s recklessness, class members face an imminent, substantial, and continuing risk of fraud, identity theft, and misuse of their PII. Place a fraud alert or credit freeze with Equifax, Experian, and TransUnion if you are concerned.
- Save all records. Keep any notification letters, account statements, and documentation of unusual activity or out-of-pocket costs you have incurred since April 20, 2026. These records support a future data breach compensation claim.
- Consult a consumer rights lawyer if your losses are significant. Most class members do not need their own attorney, but if you have suffered documented identity theft or financial loss, a free legal consultation with a data breach attorney can clarify your individual options.
- Monitor this case at PACER (pacer.gov) under “Citizens Financial Group” in the Rhode Island district for updates on class certification and any settlement.
Citizens Bank Class Action Lawsuit Timeline
| Milestone | Date |
| Everest Ransomware Attack / Data Claimed | April 20, 2026 |
| Citizens Bank Statement (Third-Party Vendor) | April 21, 2026 |
| First Two Federal Lawsuits Filed (Providence, RI) | April 22–24, 2026 |
| Massachusetts AG Breach Disclosure by Citizens | April 28, 2026 |
| Class Certification Motion | TBD — typically filed months after initial complaint |
| Expected Settlement Timeline | TBD — data breach class actions typically take 2–4 years |
| Next Scheduled Hearing | TBD — case in earliest stages as of May 18, 2026 |
Frequently Asked Questions
Is there a class action lawsuit against Citizens Bank?
Yes. Two class action lawsuits were filed against Citizens Financial Group in U.S. District Court in Providence on April 23, 2026, brought by plaintiffs Jillian Russell Hauser and Lorien Hansford, both seeking damages exceeding $5,000,000 and proposing nationwide classes of affected customers.
Do I need to do anything right now to be included?
No. If the court certifies a class, you are automatically included as a Citizens Bank customer whose data was exposed. You do not need to file anything or contact anyone at this stage. Simply preserve your records and monitor your accounts.
When will a settlement be reached in the Citizens Bank case?
There is no timeline yet. The lawsuits were just filed in late April 2026. Data breach class actions of this type typically take two to four years to reach a settlement or go to trial. A settlement is possible but not guaranteed — Citizens Bank has already disputed the lawsuits as “generally inaccurate.”
Can I file my own lawsuit against Citizens Bank instead?
You can consult a personal injury or data breach attorney to evaluate an individual claim. However, individual data breach lawsuits are expensive and complex. Most affected customers recover more effectively through a class action. If you have suffered significant, documented losses — such as confirmed identity theft or financial fraud directly tied to this breach — a free legal consultation will help you weigh your options.
How will I know if the Citizens Bank lawsuit settles?
If a settlement is reached, the court requires that notice be sent to all class members by mail and/or email. You can also monitor PACER (pacer.gov) for case filings, or watch for updates on the official case website once it is established. Sign up for any Citizens Bank breach notification service if the bank makes one available.
How much data did Everest actually steal from Citizens Bank?
The Everest ransomware group claimed nearly 3.4 million records from Citizens Financial, with samples revealing full names, home addresses, account numbers, and internal document flags. Citizens Bank disputes the scale and sensitivity of the data, saying most of what was taken was “masked test data.”
Who is the Everest ransomware group?
The Everest ransomware-as-a-service operation has been active since at least 2020, running a double-extortion model — attackers steal data, encrypt systems, and threaten to publish everything if the victim does not pay. The group is Russia-linked and has previously targeted Nissan, Collins Aerospace, Iberia Airlines, Under Armour, and BMW.
What law did Citizens Bank allegedly break?
The lawsuits allege violations of the Gramm-Leach-Bliley Act (GLBA) — the federal law requiring banks to protect customer financial information — along with state and common law claims including negligence, breach of fiduciary duty, unjust enrichment, and recklessness. The GLBA theory is particularly significant because it places ultimate accountability on the regulated financial institution, not the vendor, regardless of who actually got hacked.
Sources & References
- Court Docket: Hauser v. Citizens Financial Group Inc. and related actions, U.S. District Court for the District of Rhode Island, Providence (search PACER at pacer.gov under “Citizens Financial Group”)
- Massachusetts AG Breach Disclosure: Citizens Financial Group filed April 28, 2026
- American Banker: Customers Sue Citizens, Frost Over Third-Party Data Breach, April 29, 2026
- GoLocal Prov: Citizens Bank Hit With Two Federal Lawsuits After Cyberattack, April 23, 2026
- SC Media: Extensive Citizens Financial Group, Frost Bank Breaches Claimed by Everest Ransomware, April 2026
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding your particular situation, consult a qualified attorney.
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah