Software developer Sefas yesterday confirmed it notified 191,848 Texans of a December 2025 data breach at Frost Bank, a Sefas client.
According to the breach notice that Sefas sent on behalf of Frost Bank, the compromised data included:
- Names
- Social Security numbers
- Taxpayer ID numbers
- Account numbers
- Loan numbers
- Dates of birth
- Addresses
A cybercriminal group called Everest took credit for the breach on April 20, 2026. On its data leak website, Everest said it stole 250,000 Social Security numbers from Frost Bank, as well as 3.4 million records from Citizens Bank on the same day. Citizens Bank reported a data breach on April 21. On May 13, Everest said it leaked the Citizens Bank database.
Sefas, Frost Bank, and Citizens Bank have not acknowledged Everest’s claims, and Comparitech cannot independently verify them. We do not know if any of the affected companies paid a ransom, how much Everest demanded, or how many people were notified outside of Texas. Comparitech contacted Sefas, Frost Bank, and Citizens Bank for comment and will update this article if they reply.
“The investigation revealed activity consistent with unauthorized access to the SFTP server we use to provide software support,” says Sefas’ May 20 notice (PDF) to breach victims. “This activity included the download of certain files intermittently between December 2025 and April 2026, containing Frost Bank data.”
Sefas is offering breach victims 12 months of credit monitoring through Cyberscout. The deadline to enroll is 90 days from receipt of the notice letter.
Who is Everest?
Active since 2020, Everest is a ransomware gang and initial access broker. Its victims include NASA, the Brazilian government, and multiple hospitals and clinics. Everest’s malware both encrypts target systems and steals the data stored on them. It then demands a ransom to restore infected systems and delete stolen data.
Everest has claimed responsibility for 205 ransomware attacks in total. Of those, 48 were confirmed by the organizations it targeted.
Healthcare tech company Catalyst RCM notified 140,000 people of a November 2025 data breach claimed by Everest. Some of the group’s other recent attack claims include breaches at Notin.es in Spain, Iron Mountain in Massachusetts, Hosokawa Micron Group in Japan, and UMIILES in Spain.
Ransomware attacks on US finance
From the start of 2025 to now, Comparitech researchers have logged 68 attack claims by ransomware groups against US banks and other companies in the finance sector. The targeted companies confirmed nine of those attacks so far. They include:
- Starr Insurance reported a November 2025 data breach claimed by Akira
- MemberSource Credit Union notified at least 22,353 people of a June 2025 data breach claimed by SafePay
- Time Equities reported an October 2025 data breach claimed by Payouts King
- American Lending Center notified 123,158 people of a July 2025 ransomware attack
- Hawaii employers’ Mutual Insurance reported a February 2026 data breach claimed by LeakedData
- US Tige Securities notified 26,985 people of a July 2025 ransomware attack
- Loop Capital reported a February 2026 data breach claimed by Chaos
Ransomware attacks can both steal data and lock down computer systems. Once infected, the attacker then demands a ransom to delete stolen data and restore systems. Companies that refuse to pay can face extended downtime, permanent data loss, and putting customers at increased risk of fraud.
About Sefas
Based in Massachusetts, Sefas makes customer communication management software for enterprises. Messagepoint acquired Sefas in March 2026.