Santander Customer Data Swiped in Third-Party Cyber Attack

Santander is warning customers and employees across Spain, Chile and Uruguay that their data may have been exposed following a cyber attack on a third-party supplier.

The bank, which is Europe’s second-biggest bank by market value, confirmed the incident to Spain's National Securities Market Commission (CNMV) on Tuesday, reporting it suffered "unauthorised access to a database".

This database included data from "all employees and some former employees of the group", with the exception of Germany, it said. This means the exposed data could impact as many as 200,000 current and former Santander employees across the globe. 

Santander assured CMNV it "immediately" implemented measures to handle the incident, such as blocking access to the database and reinforcing fraud prevention to protect customers. 

It said it had established additional fraud prevention controls to protect the affected customers but did not elaborate on how the database was breached or what data was breached,

Still, It insisted that the exposed data did not include highly sensitive data, such as passwords, and no data on transactions, nor any credentials that would allow performing transactions were stored in the database. 

"In the database, there is no transactional information or access credentials or internet banking passwords that would allow transactions with the bank," Santander said in its communication to CNMV.

Santander added that it regrets the situation and is "proactively" informing "the customers and employees directly affected". The bank has also reported the incident to police, who have launched an investigation.

Third-Party Cyber Attack

The exposed Santander data was stored in a database hosted on a server managed by one of its third-party suppliers, which hackers were able to successfully infiltrate to gain access to the bank’s employee and customer data.

These third-party attacks are the most common in the financial sector because these outsourced firms tend to have more vulnerabilities than the parent company's security systems.

In February this year, for instance, Bank of America’s customer data was breached following a cyber attack by LockBit on Infosys McCmamish Systems (IMS) – one of its third-party service providers 

Sylvain Cortes, VP of Strategy at Hackuity, said banks are at increased risk of cybercrime due to being increasingly reliant on third parties. 

“Commercial pressures are driving banks to digitise their services which makes them ever more reliant on service providers. But this also means that their providers become a significant point of security exposure. In cruder terms, their supply chain is their problem to manage.

"It’s not just that banks are under attack. Risk cascades down through any service provider, supplier, or partner that holds or processes their sensitive data and who is also a prime target."

"Particularly in light of DORA and future regulations, this incident is another wake-up call of the small ‘degrees of separation’ in our complex supply chains: any weak links expose banks – and their customers’ data – to significant risk.”

At present, all Spanish banks must immediately inform the Spanish Data Protection Agency (AEPD) and the European Central Bank (ECB), of any data theft of this magnitude from their databases, in addition to the CMNV and the affected customers themselves. 

The ECB has already imposed heavy fines on banks that have left it too late to notify authorities about hacking, hence Santender’s speed in notifying regulators. 

In March, it told lenders in the eurozone to better prepare for risks related to cyber attacks after having said earlier this year that it would conduct a cyber resilience stress test on 109 directly supervised banks in 2024.

The exercise would be aimed at assessing how banks respond to and recover from a cyber attack, rather than their ability to prevent it.