Santander Customer Data Compromised Following Third-Party Breach

Written by

Banking giant Santander has confirmed that customer and employee data has been breached following a compromise of a third-party provider.

In a statement published on May 14, 2024, the bank revealed that “certain information” relating to customers of Santander Chile, Spain and Uruguay, as well as all current and some former Santander employees of the group, had been accessed by hackers.

Customer data in all other Santander markets and businesses have not been affected.

Impacted Customers Urged to Stay Vigilant

The breach was caused by threat actors’ unauthorized access to a Santander database hosted by a third-party provider, Santander said.

The database did not contain any transactional data, or credentials that would allow transactions to take place on accounts, such as online banking details and passwords.

Santander added that its operations and systems have not been affected, meaning customers can continue transactions securely.

After becoming aware of the compromise, the Spanish-based bank immediately implemented measures to contain the incident, including blocking the compromised access to the database and establishing additional fraud prevention controls to protect affected customers.

The firm commented: “We apologize for the concern this will understandably cause and are proactively contacting affected customers and employees directly. We have also notified regulators and law enforcement and will continue to work closely with them.”

Santander hasn’t disclosed the nature of the data that has been accessed, but warned impacted customers to be alert for phishing messages purporting to come from the bank.

The company urged customers to verify any information they receive and only contact Santander through official bank channels.

Tackling Growing Third Party Attacks

There have been numerous high-profile breaches in the past year caused by third-party vendors being compromised. This includes in the financial sector, with American Express (Amex) informing customers in March 2024 that their credit card details may have been compromised following a third-party data breach.

A report by SecurityScorecard and the Cyentia Institute in February 2023 found that 98.3% of organizations worldwide work closely with at least one third-party vendor that has been breached.

Cybersecurity experts have warned that organizations in critical sectors like finance must put in place more stringent security controls and requirements on third party vendors.

Thomas Richards, principal consultant at the Synopsys Software Integrity Group, commented: “Financial institutions are going to require more from their vendors to undergo security reviews and make improvements to better protect information being stored outside of their control.

“These reviews will most likely take the form of penetration testing, red teaming, and threat modeling. If they don’t already, the financial institutions will require these vendors to be either SOC II or ISO 27001 certified as a baseline of security standards.”

Erfan Shadabi, cybersecurity expert at comforte AG, said that alongside making such demands on suppliers, organizations should ensure that zero trust architecture is implemented to protect any data held by third parties. This incudes verifying every access attempt as if it originated from an open network on these databases, and adopting measures such as tokenization and encryption.

Shadabi explained: “These techniques ensure that even if a breach occurs, the data remains protected and unusable to unauthorized parties. By focusing on securing the data itself, organizations can provide an additional layer of defense that safeguards sensitive information regardless of the breach's origin.”

Image credit: Manuel Esteban / Shutterstock.com

What’s hot on Infosecurity Magazine?