Citizens Bank Breach: 3.5 Million Records Exposed Through a Third Party

Citizens Bank just confirmed a breach affecting 3.5 million customers — through a third-party attack. This is the same attack vector that hit Amtrak. If you're still doing IT reactively, you're the low-hanging fruit hackers are targeting.

NSI Tech

A third-party cyberattack. That’s all it took.

Citizens Bank confirmed on April 29 that a data breach exposed personal information for 3.5 million customers. The attack didn’t penetrate Citizens Bank’s own systems — it came through a third party. That’s a vendor, a partner, a software supplier. The weak link in your supply chain you probably don’t even know exists.

Sound familiar? It should.

Amtrak lost up to 9.4 million customer records through a CRM attack — another third-party vector. Comcast is paying $117.5 million for a 2023 breach that traced back to a third-party vendor. This isn’t bad luck. This is a pattern.

Third-party risk is now the primary way large organizations get hit. And if you think your small or mid-sized business isn’t on the target list, you’re wrong.

The Gap Most Businesses Don’t Know They Have

Large enterprises spend millions on cybersecurity. They also have hundreds of vendors, integrations, and third-party tools that create gaps they can’t fully close.

Small and mid-sized businesses? They often have even more exposure relative to their defenses — fewer security tools, no dedicated team, and a tendency to trust vendor relationships without verifying them.

That makes SMBs the preferred entry point for attackers who want to work their way up to bigger targets.

A hacker doesn’t need to breach your network directly. They find your vendor, your email provider, your IT software, your online banking portal — compromise one, and they own credentials, data, and sometimes direct access to your environment.

What the Breach Actually Means for Your Business

When a breach like Citizens Bank happens, here’s the ripple effect:

  • Your vendor’s security is now your security — if they get hit, your data is at risk
  • Credential stuffing attacks spike — people reuse passwords, so breached credentials from one company get tested everywhere
  • Regulatory and legal exposure — depending on your industry, you may have compliance obligations that include vendor risk management

What You Should Actually Do

You can’t control every vendor. But you can control your own posture:

  1. Know your vendor list — what software and services connect to your data? Who has access to what?
  2. Enforce strong password policies and MFA everywhere — especially for banking, email, and any system that touches sensitive data
  3. Monitor for unusual access — if someone logs in from a new location or device, you should know about it
  4. Treat third-party risk as part of your security strategy, not an IT footnote

The Bottom Line

Citizens Bank has a $117.5 billion market cap. They still got hit through a third party. If you’re running your business with an IT setup that doesn’t actively manage vendor risk, monitor for threats, and patch proactively — you don’t have a security strategy. You have a hope.

We’re happy to do a real security assessment for your business. Talk to NSI Tech →

Need help with any of this? NSI Tech has you covered.

Talk to us