Banking details of 30 million Santander customers exposed during breach allegedly up for sale on the dark web

The Santander logo, on the side of a wall with red accents.
(Image credit: Getty Images)

Information stolen during a major data breach affecting millions of Santander customers and all of its staff earlier in May has allegedly been listed for sale on the dark web.

The seller, a threat collective known as ShinyHunters, claims to have financial data linked to 30 million existing Santander customers, including their credit card details.

The group recently made headlines for listing a 1.3TB database stolen from Ticketmaster, containing personal information linked to over 560 million of the company’s users.

Santander confirmed it had suffered a cyber incident on 14 May 2024, reporting to Spain’s National Securities Market Commission that there had been “unauthorized access to a database hosted by a third-party provider”.

The bank has stated it immediately implemented mitigation measures and put in place additional fraud prevention controls to prevent affected customers.

“Following an investigation, we have now confirmed that certain information relating to customers of Santander Chile, Spain, and Uruguay, as well as all current and some former Santander employees of the group had been accessed. Customer data in all other Santander markets and businesses are not affected”, the statement added.

No transactional data, access credentials, or mobile banking passwords that could be used to authorize transactions from the bank were accessed, according to Santander.

In the listing posted by ShinyHunters, the group claims to be selling bank account details associated with 30 million people, 6 million account numbers, 28 million credit card numbers, and HR information linked to Santander staff.

Santander declined to confirm or deny whether this information was accurate when approached for comment by ITPro and instead referred to its statement issued on 14 May. 

The company did confirm that no customer data in the UK was affected in the breach.

Financial businesses need to require more from their vendors

Thomas Richards, principal consultant at the Synopsys Software Integrity Group said the incident emphasizes a pattern of threat actors targeting critical third parties to get access to more sensitive information in partner organizations:

“This incident highlights the trend of third-party providers undergoing additional security scrutiny. Over the past few years, there have been several instances of compromise where the root cause was a security issue from a third party.”

He noted that organizations operating in the financial services industry will need to reevaluate not only their own security measures but also those of their partners, to avoid similar incidents.

“Financial institutions are going to require more from their vendors to undergo security reviews and make improvements to better protect information being stored outside of their control,” he explained.

“These reviews will most likely take the form of penetration testing, red teaming, and threat modeling. If they don’t already, the financial institutions will require these vendors to be either SOC II or ISO 27001 certified as a baseline of security standards."

Data from the Information Commissioner’s Office (ICO) shows that as many as 20.4 million people in the UK have been compromised in cyber attacks on financial services companies in the last year. 

This marks a 143% increase from the 8.4 million individuals affected in the previous year. 

The International Monetary Fund (IMF) has also warned cyber attacks against financial services are rising, with $2.5 billion having been lost to cyber attacks between 2020 and 2024.

Ben Marsh, class underwriter at insurance company Chaucer added that financial services institutions are often among the top targets for cyber criminals due to the value of the data they store.

“Financial services businesses will often hold huge amounts of data they collect as part of their client onboarding process such as debit and credit card numbers, passports, address information, and other ID documents. This data is highly valuable and is regularly traded on the dark web.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.