Cybercrime , Finance & Banking , Fraud Management & Cybercrime

Hacker Sells Apparent Santander Bank Customer Data

ShinyHunters Advertises Data Set of '30 Million Customers' for $2 Million
Hacker Sells Apparent Santander Bank Customer Data
Santander disclosed earlier this month a breach of a database hosted by a third party provider. (Image: Shutterstock)

A hacker is selling the purported data of 30 million customers of Spanish multinational bank Santander for $2 million on a criminal online forum the FBI recently attempted to shut down.

See Also: The Healthcare CISO’s Guide to Medical IoT Security

A listing on the BreachForums data leak marketplace by administrator ShinyHunters says the data set contains 6 million account numbers and balances and 28 million credit card numbers belonging to Santander customers located in Chile, Spain and Uruguay as well as internal employee data. The bank disclosed on May 14 that it detected "unauthorized access to a Santander database hosted by a third-party provider." The company did not immediately respond to a request for comment.

The bank's most recent quarterly report lists considerably fewer than 30 million clients in the three affected countries - just 4 million in Chile, 15 million in Spain and half a million in Uruguay.*

"No transactional data, nor any credentials that would allow transactions to take place on accounts are contained in the database, including online banking details and passwords. The bank's operations and systems are not affected, so customers can continue to transact securely," the bank said.

Sample data posted online by ShinyHunters suggests the data set is genuine, said Richard Bird, chief security officer at Traceable AI and a former JPMorgan Chase security executive, who reviewed it at Information Security Media Group's request. Sections of the spreadsheet appear to be data contained within customer information files, including records of the last time that Santander verified the contact information of a client. Recent dates include verifications made at the start of this month.

Even without banking credentials or transactional data, data contained within the files "looks like it could facilitate five or six different hacking campaigns," said Bird, who is a member of the CyberEdBoard.

At the very least, fraudsters could use contact information and banking interaction details to social-engineer clients into revealing their credentials. Employee data could be used for business email compromise and information that appears to list Santander investments might reveal trading strategies. Santander employees should be extra cautious for suspicious emails that could lead to ransomware attacks, Bird said.

ShinyHunters' asking price of $2 million suggests cybercriminals have already analyzed the data to see if it contains anything valuable, he added. "If he knew the data was worthless, he wouldn't pop his head up."

The BreachForums administrator earlier this week advertised a "one time sale" of 1.3 terabytes of data apparently stolen from Ticketmaster (see: Stolen Ticketmaster Data Advertised on Rebooted BreachForums).

An international law enforcement operation seized the criminal marketplace earlier this month, but its administrators said they were able to reestablish operations on a seized domain. ShinyHunters' explanation is that a registrar based in Hong Kong restored its account, allowing administrators to re-take control before shifting to a different registrar.

*Updated May 31, 2024, 20:41 UTC: Adds in customer data taken from a Santander financial report.


About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.