Citizens Financial Group

Citizens Financial Group, one of the oldest and largest financial institutions in New England with over $220 billion in assets, disclosed a data breach affecting customer information. The breach occurred through a third-party vendor relationship, continuing the pattern of supply chain compromises plaguing the financial sector.

Customer names, account numbers, Social Security numbers, and financial records. This is banking data in its most sensitive form—the information needed to access accounts, open new credit lines, or file fraudulent tax returns.

When a bank shares customer data with vendors, that data often includes the complete customer profile. Every vendor relationship extends the attack surface.

Citizens serves customers across 14 states, primarily in the Northeast and Midwest. Customers who trusted their local bank with their financial lives now face the downstream consequences: credit monitoring, account freezes, and the long-term risk of identity theft.

Banking data is particularly dangerous because it's both immediately actionable (account takeover) and persistently valuable (identity theft for years to come).

Citizens Financial is a regulated bank, subject to extensive federal and state oversight. They have compliance teams, security programs, and vendor risk management processes. They likely conducted due diligence on their third-party vendors. They had contracts specifying security requirements.

The problem: vendor assessments are point-in-time. Security postures change. And the data shared with vendors remains at risk regardless of what the contract says.

Citizens didn't know—or couldn't act on knowing—exactly what customer data lived with each vendor. When you share data with a vendor, you're trusting their security. But you're also losing visibility into where that data goes within their systems, who accesses it, and how it's protected.

The data left Citizens' perimeter. At that point, Citizens' security controls no longer applied.

Citizens had to notify customers that their data was compromised—not because of something Citizens did, but because of a vendor they chose to work with. That's a difficult message to deliver. Customers don't care about vendor relationships; they care that their bank let their data get stolen.

Regulatory scrutiny follows. The OCC and state banking regulators ask pointed questions about vendor oversight. The answers matter for future examination cycles.