Santander Holdings U.S.A.

In June 2024, the Vermont Office of the Attorney General disclosed a data breach affecting Santander Holdings U.S.A., which transpired between late April and early May 2024. The incident stemmed from unauthorized access to a third-party database, compromising employee personal information, including names, Social Security numbers, and bank account details. While the exact number of impacted individuals remains undisclosed, the breach exposed highly sensitive data, raising concerns over potential identity theft, financial fraud, and reputational harm. The breach did not involve customer data or ransomware demands, but the exposure of employee financial and identification records underscores significant internal vulnerabilities. Authorities and the company are likely investigating the scope of the breach, mitigation measures, and compliance with data protection regulations. The incident highlights risks associated with third-party vendor security and the critical need for robust access controls to safeguard employee data.

Source: https://ago.vermont.gov/document/2024-06-18-santander-holdings-usa-data-breach-notice-consumers

TPRM report: https://www.rankiteo.com/company/santander-us

"id": "san009091825",
"linkid": "santander-us",
"type": "Breach",
"date": "4/2024",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"

{'affected_entities': [{'industry': 'Banking/Finance',
                        'location': 'United States',
                        'name': 'Santander Holdings U.S.A.',
                        'type': 'Financial Services'}],
 'data_breach': {'data_exfiltration': 'likely (unauthorized access reported)',
                 'personally_identifiable_information': ['names',
                                                         'Social Security '
                                                         'numbers'],
                 'sensitivity_of_data': 'high',
                 'type_of_data_compromised': ['personally identifiable '
                                              'information (PII)',
                                              'financial data']},
 'date_publicly_disclosed': '2024-06-18',
 'description': 'On June 18, 2024, the Vermont Office of the Attorney General '
                'reported a data breach involving Santander Holdings U.S.A., '
                'which occurred between late April and early May 2024. The '
                'breach involved unauthorized access to a third-party database '
                'affecting certain employee personal information, including '
                'names, Social Security numbers, and bank account information, '
                'although the number of individuals affected is currently '
                'unknown.',
 'impact': {'data_compromised': ['names',
                                 'Social Security numbers',
                                 'bank account information'],
            'identity_theft_risk': 'high (PII exposed)',
            'payment_information_risk': 'high (bank account information '
                                        'exposed)',
            'systems_affected': ['third-party database']},
 'initial_access_broker': {'high_value_targets': ['employee personal data']},
 'investigation_status': 'ongoing (number of affected individuals unknown)',
 'references': [{'date_accessed': '2024-06-18',
                 'source': 'Vermont Office of the Attorney General'}],
 'regulatory_compliance': {'regulatory_notifications': ['Vermont Office of the '
                                                        'Attorney General']},
 'response': {'communication_strategy': 'Public disclosure via Vermont Office '
                                        'of the Attorney General'},
 'title': 'Santander Holdings U.S.A. Data Breach (2024)',
 'type': 'Data Breach'}