Santander’s customer and employee data exposed


Spanish bank Santander has reported that an unauthorized party gained access to customer and employee data in a database hosted by an outside provider. The bank's own operations and systems have not been affected.

The bank said in a statement that the data was from customers in Spain, Chile, and Uruguay, as well as all current and some former employees. No data on transactions, nor any credentials that would allow to perform transactions were stored in the database, it said.

Customer data in all other markets and businesses were not affected, the bank said, adding that customers could continue to transact securely.

Santander, the euro zone's second-biggest bank by market value, said it had "immediately implemented measures to contain the incident," including blocking the compromised access to the database.

Without elaborating further on how the database was breached, Santander said it also established additional fraud prevention controls to protect the affected customers.

The bank declined to comment how many clients had been affected. It has notified regulators and law enforcement agents and will continue to work closely with them while proactively contacting those affected directly, it said.

In 2020, the Cybernews research team discovered that the Belgian branch, Santander Consumer Bank, had a misconfiguration in its blog domain, allowing its files to be indexed. Researchers were able to see sensitive information, including an SQL dump and JSON file that can be used by hackers to potentially phish Santander’s bank customers.

Last month, the International Monetary Fund said in a blog that rising cyber threats posed serious concerns for financial stability, adding that incidents in the financial sector could erode confidence in the financial system, disrupt critical services, or cause spillovers to other institutions.

In March, the European Central Bank told lenders in the eurozone to better prepare for risks related to cyberattacks after having said earlier this year that it would conduct a cyber resilience stress test on 109 directly supervised banks in 2024.

The exercise would be aimed at assessing how banks respond to and recover from a cyberattack rather than their ability to prevent it.


More from Cybernews:

Mysterious actor spills over 1.2B records on Chinese users

Could Section 203 be used to regain control of our Facebook feeds?

Wordle #1,061 daily hints: May 15th, 2024

NYT Strands #73 - hints, spangram, and answers for game May 15th

North Korea launders $148 million stolen crypto using Tornado Cash

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked