Citizens Bank Data Breach Class Action Lawsuit 2026, What Happened, Who Is Affected, and What to Do Now
Prepared by the AllAboutLawyer.com Editorial Team and reviewed for factual accuracy against the Boston Globe, GoLocal Providence, American Banker, InvestmentNews, and Cybernews on April 25, 2026. Last Updated: April 25, 2026
Citizens Financial Group, Inc. is facing two federal class action lawsuits filed in U.S. District Court in Providence after the ransomware group Everest publicly claimed responsibility for attacking a third-party vendor that held Citizens Bank customer data on or about April 20, 2026. Citizens Bank disclosed the breach in a statement on Tuesday, saying it was “managing an incident involving data extracted from a third party vendor,” and characterized the impact as affecting “a small number of customers.” The lawsuits, however, allege the breach may have exposed the data of millions.
Quick Facts: Citizens Bank Data Breach Lawsuits
| Field | Detail |
| Plaintiffs | Jillian Russell Hauser (Ohio resident); Lorien Hansford (Maine resident) |
| Defendant | Citizens Financial Group, Inc. / Citizens Bank, N.A. |
| Case Type | Data Breach Class Action |
| Court | U.S. District Court, District of Rhode Island, Providence |
| Date Filed | April 23, 2026 |
| Case Numbers | TBD — filed April 23, 2026; docket numbers not yet publicly confirmed |
| Legal Claims | Negligence, breach of implied contract, unjust enrichment, breach of fiduciary duty, recklessness |
| Damages Sought | More than $5,000,000 per complaint |
| Current Stage | Recently filed; no scheduling order or hearing date set |
| Next Scheduled Date | TBD — case in earliest stage |
| Plaintiffs’ Attorneys | Peter N. Wasylyk (Russell Hauser complaint); Jules D’Alessandro (Hansford complaint) — both Rhode Island-based with national co-counsel |
| Last Updated | April 25, 2026 |
Case Timeline
| Date | Event |
| April 20, 2026 | Everest ransomware group posts samples of Citizens Bank and Frost Bank customer data on its dark web leak site; gives banks a six-day deadline before full data release |
| April 21, 2026 | Citizens Financial Group issues public statement acknowledging a third-party vendor incident; says “most of this was masked test data” with limited real customer data involved |
| April 22, 2026 | Edelson Lechtzin LLP announces investigation into potential additional class action claims |
| April 23, 2026 | Two federal class action complaints filed in U.S. District Court, Providence, Rhode Island |
| April 26, 2026 | Everest’s self-imposed deadline for full public data release |
| TBD | Court scheduling order; Citizens Bank deadline to respond to complaints |
What Is the Citizens Bank Data Breach Class Action About?
The core of this case is a dispute over who is responsible when a bank’s outside vendor gets hacked and customer data walks out the door.
According to the 34-page complaint filed by Rhode Island attorney Jules D’Alessandro, plaintiffs allege that “on April 20, 2026, the ransomware group Everest publicly claimed responsibility for a cyberattack against Citizens Bank,” and that “Everest infiltrated Citizens Bank’s systems and, on information and belief, exfiltrated sensitive information of potentially millions of current and former customers.” Citizens Bank disputes that characterization — the bank says the breach was at the vendor level, not its own network.
In a statement released April 21, Citizens said it has “no evidence of unauthorized access to the Citizens network” and that operations continue normally. But the lawsuits argue that it does not matter where the attack technically occurred — the bank had a legal obligation to ensure its vendors protected customer data with the same care the bank itself would be required to provide.
Cybersecurity analysts at ZeroFox told American Banker that the same-day posting of document-production-specific data from both Citizens and Texas-based Frost Bank points to a single shared vendor compromise rather than two separate attacks — though neither bank has identified the vendor by name. That unidentified third party sits at the center of what the lawsuits will ultimately need to untangle. For customers researching how these third-party breach cases have resolved in the past, the Cadence Bank $5.25M MOVEit data breach settlement is a close comparison — another bank-adjacent vendor breach that led to a federal class action.
The legal claims in both complaints include negligence (the bank allegedly failed to adequately vet and oversee its vendor’s security), breach of implied contract (customers trusted their data would be protected when they opened accounts), unjust enrichment, and breach of fiduciary duty. These are the standard causes of action in data breach compensation litigation and mirror the claims brought in dozens of similar bank and financial services breach cases.
Related article: Nicholas Rumanes vs. Live Nation, The $35 Million Wrongful Termination Lawsuit, Explained
Who Are the Plaintiffs and What Do They Allege?
Jillian Russell Hauser, an Ohio resident, is the named plaintiff in the complaint filed by attorney Peter N. Wasylyk. Russell Hauser’s lawsuit says Everest leaked information on the dark web that it had stolen from Citizens.
Lorien Hansford, a Maine resident, is the named plaintiff in the 34-page complaint filed by Jules D’Alessandro. Both complaints propose a nationwide class of all current and former Citizens Bank customers whose personally identifiable information — or PII, meaning data like names, addresses, account numbers, and dates of birth — may have been exposed.
The plaintiffs allege the bank’s “failure to safeguard, monitor, maintain, and protect highly sensitive personal and financial information, including, upon information and good faith belief, names, addresses, dates of birth, Social Security Numbers, and financial account information” constitutes a breach of the duty of care Citizens owed its customers.
Citizens Bank denies those characterizations. A Citizens spokesperson told American Banker that the compromised data does not contain Social Security numbers — a significant distinction from Everest’s claims — and that most of what was accessed was masked test data. Masked data replaces real sensitive values with realistic-looking but fake substitutes used for internal testing purposes. A Citizens spokesperson explained that masked data replaces sensitive data such as names, account numbers, and Social Security numbers with “realistic but fake values, so people and systems can work with the data without seeing real confidential information.”
The gap between what Everest claims it stole — approximately 3.4 million records — and what Citizens says was exposed — a “limited set of information for a small number of customers” — is one of the central factual disputes this litigation will need to resolve. For context on how similar bank data breach class actions have unfolded, the SouthState Bank $1.5M data breach settlement involved comparable allegations of inadequate vendor oversight.
What Is at Stake in This Lawsuit?
Each complaint seeks damages exceeding $5,000,000 and proposes to represent all Citizens Bank customers whose data was exposed. If a class is certified and the case proceeds, the financial exposure for Citizens could grow substantially depending on how many customers’ real data was actually compromised.
The Everest gang claims to have approximately 3.4 million records belonging to Citizens Bank, with affected personal data including names, home addresses, and account numbers. If those numbers hold up and real customer data is confirmed, the class could be one of the larger financial breach cases filed in 2026.
The lawsuits seek identity theft protection for affected customers, reimbursement for out-of-pocket losses related to the breach, and enhanced cybersecurity measures from the bank going forward — relief that courts in similar data breach cases have increasingly required as a condition of settlement, not just cash payments.
Attorney Peter N. Wasylyk said in a statement: “Data breach class actions, like this case against Citizens Bank, aim to hold companies responsible when they fail to protect personal information, while ensuring that those affected have access to meaningful, long-term safeguards against misuse of their data.”
What Should You Do Right Now If You Are a Citizens Bank Customer?
No claim form exists and no settlement has been proposed. But there are concrete steps you should take today, regardless of how this litigation unfolds:
Step 1 — Monitor your accounts immediately. Log into your Citizens Bank account and review all recent transactions. Report any unauthorized activity to Citizens Bank directly at the number on the back of your card.
Step 2 — Place a fraud alert with the credit bureaus. Contact Equifax, Experian, or TransUnion to place a free fraud alert on your credit file. A fraud alert requires lenders to verify your identity before opening new accounts in your name.
Step 3 — Consider a credit freeze. A credit freeze is free and prevents new credit from being opened in your name entirely. It is stronger protection than a fraud alert and does not affect your existing accounts.
Step 4 — Watch for a notification letter from Citizens Bank. Citizens has said it is notifying impacted individuals directly. If you receive a breach notification letter, save it — it will be your primary documentation if a settlement is reached and you need to file a claim.
Step 5 — Document any related losses. Keep records of any time you spend monitoring accounts, any fraudulent charges, or any fees you pay for credit monitoring services. These are the types of losses that data breach settlements typically compensate.
Step 6 — Watch AllAboutLawyer.com for updates. This page will be updated when a settlement is proposed or a claim process opens. No action is needed in the lawsuit right now — class members are automatically included if a class is certified.
Frequently Asked Questions: Citizens Bank Data Breach Lawsuit 2026
1. Is there a class action lawsuit against Citizens Bank?
Yes. Two class action lawsuits were filed against Citizens Financial Group in U.S. District Court in Providence on April 23, 2026, brought by plaintiffs Jillian Russell Hauser and Lorien Hansford. Both seek damages exceeding $5,000,000 and propose nationwide classes of affected customers.
2. Do I need to do anything right now to be included in the lawsuit?
No. If the court certifies a class, you are automatically included as a Citizens Bank customer whose data may have been exposed. No action is required until a settlement is reached or a claims process opens. Monitor your accounts and save any notification letters you receive.
3. What data was actually stolen from Citizens Bank?
Citizens Bank says most of what was accessed was “masked test data” and that real customer data exposure was limited to “a small number of customers.” Everest claims to have approximately 3.4 million records including names, home addresses, and account numbers. Citizens has stated the breached data does not include Social Security numbers. The full scope is under active investigation.
4. How much could I receive from a Citizens Bank data breach settlement?
No settlement exists yet — these cases were filed April 23, 2026 and are in their earliest stage. In comparable bank data breach settlements, customers have received anywhere from a flat pro-rata cash payment of $50–$150 to up to $5,000 for documented out-of-pocket losses. The final amount depends on the total fund, the number of claimants, and what losses you can document.
5. Can I read the court documents?
Yes. The complaints are filed in the U.S. District Court for the District of Rhode Island in Providence. You can search the PACER federal court records system (pacer.gov) using “Citizens Financial Group” to locate both case dockets once they receive formal case numbers.
6. Was Citizens Bank’s own network hacked?
According to Citizens Bank, no. The bank has stated there is no evidence of unauthorized access to the Citizens network itself, and that the incident involves data extracted from a third-party vendor. The lawsuits argue this distinction does not relieve Citizens of responsibility for the data it entrusted to that vendor.
7. What is the Everest ransomware group?
Everest is a ransomware-as-a-service operation active since at least 2020, running a double-extortion model — attackers steal data, threaten to publish it, and demand payment to prevent release. The group has previously targeted Nissan, Collins Aerospace, Iberia Airlines, Under Armour, and BMW. The six-day deadline Everest gave Citizens Bank expired around April 26, 2026.
8. When will a settlement be reached in the Citizens Bank case?
TBD — it is too early to project. Data breach class actions at major financial institutions typically take 12 to 36 months to reach a settlement after the initial complaint is filed, depending on the complexity of the case, the volume of discovery, and whether Citizens Bank and plaintiffs’ counsel reach an early resolution.
Sources & References
- Boston Globe: Class action lawsuits filed after Citizens Bank data breach — April 24, 2026
- Cybernews: Frost Bank, Citizens Bank data leak: Hackers set 6-day deadline — April 21, 2026
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Information about ongoing legal cases is based on publicly available court records and verified reporting. Allegations described in this article have not been proven in court. For advice regarding a particular legal situation, consult a qualified attorney.
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah