Santander explains three types of customer affected by 'hackers stealing data'

Santander has explained three types of customers affected by a massive data breach. ShinyHunters posted an advert on a hacker forum for the data, which it says also includes staff HR details, with an asking price of $2m (£1.6m).

Santander, which employs 200,000 people including about 20,000 in the UK, confirmed that it had been hacked a fortnight ago. It said affected customers were those in Chile and Spain as well as Uruguary. In the post outlining the data it claims to hold the hacker collective taunts the bank, stating: “Santander is also very welcome if they want to buy this data.”

Santander said: "We recently became aware of an unauthorized access to a Santander database hosted by a third-party provider. We immediately implemented measures to contain the incident, including blocking the compromised access to the database and establishing additional fraud prevention controls to protect affected customers.

READ MORE HMRC hits thousands with 'most unfair tax in Britain' but people can escape it

"Following an investigation, we have now confirmed that certain information relating to customers of Santander Chile, Spain and Uruguay, as well as all current and some former Santander employees of the group had been accessed. Customer data in all other Santander markets and businesses are not affected.

"No transactional data, nor any credentials that would allow transactions to take place on accounts are contained in the database, including online banking details and passwords. The bank's operations and systems are not affected, so customers can continue to transact securely.

"We apologise for the concern this will understandably cause and are proactively contacting affected customers and employees directly. We have also notified regulators and law enforcement and will continue to work closely with them."

In a post on a hacking forum – first spotted by researchers at Dark Web Informer – ShinyHunters outlined the type and quantity of data it claims to have got its hands on. This runs to 30 million people’s bank account details, 6m account numbers and balances, and 28m credit card numbers.