Cybercrime , Finance & Banking , Fraud Management & Cybercrime
Hacker Sells Apparent Santander Bank Customer Data
ShinyHunters Advertises Data Set of '30 Million Customers' for $2 MillionA hacker is selling the purported data of 30 million customers of Spanish multinational bank Santander for $2 million on a criminal online forum the FBI recently attempted to shut down.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
A listing on the BreachForums data leak marketplace by administrator ShinyHunters says the data set contains 6 million account numbers and balances and 28 million credit card numbers belonging to Santander customers located in Chile, Spain and Uruguay as well as internal employee data. The bank disclosed on May 14 that it detected "unauthorized access to a Santander database hosted by a third-party provider." The company did not immediately respond to a request for comment.
The bank's most recent quarterly report lists considerably fewer than 30 million clients in the three affected countries - just 4 million in Chile, 15 million in Spain and half a million in Uruguay.*
"No transactional data, nor any credentials that would allow transactions to take place on accounts are contained in the database, including online banking details and passwords. The bank's operations and systems are not affected, so customers can continue to transact securely," the bank said.
Sample data posted online by ShinyHunters suggests the data set is genuine, said Richard Bird, chief security officer at Traceable AI and a former JPMorgan Chase security executive, who reviewed it at Information Security Media Group's request. Sections of the spreadsheet appear to be data contained within customer information files, including records of the last time that Santander verified the contact information of a client. Recent dates include verifications made at the start of this month.
Even without banking credentials or transactional data, data contained within the files "looks like it could facilitate five or six different hacking campaigns," said Bird, who is a member of the CyberEdBoard.
At the very least, fraudsters could use contact information and banking interaction details to social-engineer clients into revealing their credentials. Employee data could be used for business email compromise and information that appears to list Santander investments might reveal trading strategies. Santander employees should be extra cautious for suspicious emails that could lead to ransomware attacks, Bird said.
ShinyHunters' asking price of $2 million suggests cybercriminals have already analyzed the data to see if it contains anything valuable, he added. "If he knew the data was worthless, he wouldn't pop his head up."
The BreachForums administrator earlier this week advertised a "one time sale" of 1.3 terabytes of data apparently stolen from Ticketmaster (see: Stolen Ticketmaster Data Advertised on Rebooted BreachForums).
An international law enforcement operation seized the criminal marketplace earlier this month, but its administrators said they were able to reestablish operations on a seized domain. ShinyHunters' explanation is that a registrar based in Hong Kong restored its account, allowing administrators to re-take control before shifting to a different registrar.
*Updated May 31, 2024, 20:41 UTC: Adds in customer data taken from a Santander financial report.