Banco Santander, a Spanish multinational bank, has suffered a third-party data breach after a threat actor accessed a database managed by an external vendor.
Banco Santander S.A. is one of the world’s largest financial institutions, with 140 million customers in Spain, the United States, the United Kingdom, Brazil, Mexico, and other countries.
“We recently became aware of an unauthorized access to a Santander database hosted by a third-party provider,” the financial institution disclosed on its website.
Although the cyber attack did not disrupt operations, Santander believes that it exposed personal information across several countries.
Santander third-party data breach leaked employee and customer information
Upon discovering the cyber intrusion, Banco Santander responded by implementing containment measures to deny the threat actor further access to the compromised database and protect the impacted victims.
“We immediately implemented measures to contain the incident, including blocking the compromised access to the database and establishing additional fraud prevention controls to protect affected customers,” said the bank.
According to Banco Santander’s assessment, the cyber incident affected its customers in three markets across Europe and South America, as well as some former employees. Other markets and entities were not affected by the third-party data breach.
“Following an investigation, we have now confirmed that certain information relating to customers of Santander Chile, Spain and Uruguay, as well as all current and some former Santander employees of the group had been accessed,” noted the bank.
Although the nature of the information compromised remains undetermined, the third-party data breach did not expose transaction details or account credentials that would compromise the security of the victims’ accounts.
“No transactional data, nor any credentials that would allow transactions to take place on accounts are contained in the database, including online banking details and passwords,” said the bank.
Unlike most ransomware incidents and DDoS attacks, Banco Santander’s third-party data breach did not disrupt internal operations, allowing customers to continue transacting confidently.
Meanwhile, Banco Santander said it has notified relevant regulatory and law enforcement authorities and would continue “proactively contacting affected customers and employees directly.”
However, crucial details of the cyber attack, including the attack vector, number of victims, breached third party, and threat actor’s identity, remain unknown or undisclosed.
Santander has advised its bank account holders to remain vigilant for potential phishing attacks following the third-party data breach.
The financial institution warned customers against sharing OTP codes and passwords with third parties if someone claiming to be a Santander employee requests them.
Clients should also verify any communications with the bank’s official channels before taking action, report suspicious messages, and avoid clicking on unsolicited email links to access their accounts. Lastly, they should never ignore their accounts’ security alerts and notifications.
Dependence on outsourcing increases risks of third party data breach
Financial institutions heavily depend on outsourcing and external vendors, making them vulnerable to various forms of third-party cyber attacks and inadvertent data leaks.
“Yet another report of an unfortunate third-party breach,” said Dave Ratner, CEO of HYAS. “While it’s a good thing that no transaction details, credentials, or passwords were exposed, other third-party breach victims may not be so lucky, and these events will unfortunately continue across the industry until organizations adopt appropriate cyber resiliency approaches.”
In March 2024, payment card provider American Express (Amex) notified customers that a third-party data breach had compromised their credit cards.
In February 2024, Bank of America and Fidelity Investments Life Insurance Company disclosed that their technology partner Infosys McCamish Systems (IMS) had leaked the sensitive information of 57,000 and 30,000 customers, respectively.
