Frost Bank Data Breach Lawsuit Investigation
Received a May 2026 breach notice from Frost Bank?
Dapeer Law, P.A. is investigating a potential class action against Frost Bank, a Texas-based banking institution and subsidiary of Cullen/Frost Bankers, Inc., on behalf of customers whose personal information may have been exposed when an unauthorized party accessed a third-party SFTP server containing Frost Bank customer data between December 2025 and April 2026.
Who may qualify
You may be eligible to participate in a class action if any of the following applies:
- You received a data breach notification letter from Frost Bank dated May 2026.
- Your letter offered enrollment in free Cyberscout credit monitoring, credit reports, and credit scores (a TransUnion company).
- You had personal or financial information held by Frost Bank in its capacity as a banking and financial services provider.
- No proof of harm required to consult with counsel. You do not need to have already suffered identity theft to explore your legal options.
- Excluded: individuals who did not receive a breach notice and whose information was not involved in the incident.
Not sure if you qualify?
Send us your notice, we'll confirm your eligibility at no cost.
What happened
According to a notice filed with the California Attorney General, a third-party service provider's SFTP server used in connection with Frost Bank services was subject to intermittent unauthorized downloads between December 2025 and April 16, 2026. Frost Bank was informed of the incident on April 22, 2026, and immediately began analyzing the affected files with the assistance of external cybersecurity specialists. The bank's investigation found no evidence that the intrusion extended beyond that server or persisted after April 16, 2026.
Frost Bank completed its file review and began mailing notice letters to affected individuals on or around May 20, 2026. Approximately 191,848 Texas residents are reported to have been impacted, according to filings with Texas regulators. The compromised files contained copies of tax information forms and bill-pay check images, which may have included names, addresses, dates of birth, Social Security numbers or other taxpayer identification numbers, bank account numbers, credit or debit card numbers, and loan numbers. Affected individuals are being offered 12 months of credit monitoring, credit reports, credit scores, and proactive fraud assistance and remediation services through Cyberscout, a TransUnion company.
Because the exposed data reportedly includes Social Security numbers, financial account numbers, and tax documents, affected individuals face elevated risk of identity theft, account fraud, and tax-related fraud. Banking customers whose account and card numbers were exposed should monitor their accounts closely for unauthorized transactions and consider placing a fraud alert or security freeze with the major credit bureaus.
What to do if you received a letter
Keep your notice letter
Do not discard it. Your letter contains the enrollment code for Cyberscout credit monitoring and is important evidence if you decide to participate in a lawsuit.
Enroll in the free 12-month credit monitoring
Enroll in the Cyberscout (TransUnion) monitoring offered in your letter before the stated deadline. Accepting this benefit does not waive your right to pursue legal action.
Place a fraud alert or credit freeze
Contact Equifax, Experian, and TransUnion to place a fraud alert or freeze on your file. Request a free weekly credit report from AnnualCreditReport.com, and use the FTC's IdentityTheft.gov recovery guide.
Because bank account numbers and Social Security numbers may have been exposed, consider contacting your bank directly to discuss whether a new account number is warranted, and review your credit reports at annualcreditreport.com for any unfamiliar accounts or inquiries.
Speak with a data breach attorney
Consultations with Dapeer Law are free and confidential. We'll review your notice, explain your options, and advise whether you may be eligible to join a class action against Frost Bank.
Submit your notice for a free review
Two minutes online. A licensed attorney reviews every submission.
Breach timeline
Compensation you may be entitled to
Out-of-pocket expenses
Credit freezes, identity restoration services, and other costs incurred responding to the breach.
Time spent monitoring
Hours spent reviewing accounts, disputing fraudulent charges, and dealing with identity theft issues.
Identity theft & fraud losses
Unreimbursed funds stolen from accounts, unauthorized credit lines,
Given the exposure of Social Security numbers, bank account numbers, and tax documents, affected individuals may also face risk of tax-related fraud, new account fraud, and unauthorized loan applications.
or tax refund fraud tied to the breach.Statutory damages
Certain state data breach and consumer protection statutes provide for fixed damages regardless of actual loss.
Injunctive relief
Court orders requiring Frost Bank and its third-party vendors to implement stronger data security practices, including enhanced SFTP server access controls and monitoring.
Compensation categories depend on applicable state law, the types of data exposed, and documented losses. No recovery is guaranteed.
Common questions
I received a data breach letter from Frost Bank. What should I do? +
Keep your breach notice letter — it contains your Cyberscout enrollment code and serves as evidence if you pursue legal action. Enroll in the free 12-month credit monitoring through Cyberscout (a TransUnion company) before the deadline stated in your letter. Place a fraud alert or security freeze with Equifax, Experian, and TransUnion, and monitor your Frost Bank accounts and any credit or debit cards for unfamiliar transactions. If you notice suspicious activity, contact Cyberscout using the information in your notice and consider speaking with a data breach attorney.
Am I eligible to join a class action against Frost Bank? +
You may be eligible if you received a breach notice from Frost Bank dated on or around May 20, 2026, or if you experience unauthorized use of information exposed in the breach. Eligibility for a class action can also depend on your state of residence, the specific categories of data exposed in your case, and any documented losses. Completing a free case evaluation with Dapeer Law is the best way to assess your individual circumstances.
How much money could I receive from a class action lawsuit? +
Data breach class action recoveries vary significantly. Settlements typically range from a few hundred dollars for basic out-of-pocket losses to several thousand dollars for documented identity theft, with class size, damages, and negotiation all affecting the final amount. No payout is guaranteed, and this investigation has not yet resulted in a settlement.
What personal information was exposed in the breach? +
According to Frost Bank's notice, the compromised SFTP server contained copies of tax information forms and bill-pay check images. Those documents may include your name, address, date of birth, Social Security number or other taxpayer ID, bank account number(s), credit or debit card number(s), and loan number(s). Check your individual notice letter to confirm which specific data types apply to your account.
Did Frost Bank offer free credit monitoring? +
Yes. Frost Bank is offering 12 months of credit monitoring, credit reports, credit scores, and proactive fraud assistance and remediation services through Cyberscout, a TransUnion company. Enrollment instructions and the deadline are included in your notice letter. Enrolling in this benefit does not waive your right to participate in a lawsuit.
How many people were affected by the Frost Bank breach? +
Approximately 191,848 individuals were affected, according to a filing with Texas regulators. The number reported to the California Attorney General may reflect a subset of the total population.
Is there a deadline to take legal action? +
Yes. Statutes of limitations for data breach claims vary by state and legal theory, typically ranging from one to six years. Waiting can permanently bar your claim. Contact us as soon as possible for a free evaluation.
How do I get a copy of the official breach notice? +
Frost Bank's sample breach notice was filed with the California Attorney General's Office and is publicly available through the California AG's data breach notification portal. You can also obtain a copy of the relevant notice during a free consultation with Dapeer Law.
Sources & references
- Official breach notice filing · California Attorney General, Data Breach Notification
- Company · Frost Bank (frostbank.com)
- Credit bureau freezes · Equifax · Experian · TransUnion
- Free weekly credit reports · AnnualCreditReport.com
- Identity theft recovery guide · FTC IdentityTheft.gov
Don't let the deadline decide for you. Submit your claim today.
You only have a limited window to act. Our team will review your notice, explain your options, and tell you whether you may be eligible to recover compensation, at no cost to you.
