A new ING Bank data breach has been reported involving over 21,000 customer records allegedly stolen from ING Bank Spain. The threat actor known as BreachParty posted the dataset on a dark web forum, claiming that the stolen information includes full names, ID numbers, phone numbers, IBANs, and bank codes. The post, dated November 5, 2025, lists the leak as “ING BANK 2025 21.090 IBAN LEAD ES” and includes sample data to prove authenticity.
Background
The attacker’s listing describes a CSV file containing 21,090 records of customer data from Spain. The dataset reportedly includes the following information:
- ID numbers and dates of birth
- Full names and cities
- Primary and secondary phone numbers
- IBANs, bank codes, and bank names
BreachParty claims that the data is fresh and available for sale to private buyers. The actor also stated that they would provide the “complete lead” upon private request, suggesting the listing is part of a commercialized data trade rather than a free leak. The forum post uses professional formatting, typical of brokers selling verified datasets from financial institutions.
ING Bank’s Response
Following the claims, ING España released an official statement on @ING_es to clarify the situation. The bank confirmed that a data leak involving some ING customers and other entities occurred due to a security breach external to ING. However, the company emphasized that “the security of our clients and systems has not been affected” and noted that they have taken “extraordinary measures” to strengthen protection and ensure continued safety of customer data.
ING’s message indicates that the breach may have originated from a third-party vendor or data processor handling customer information, rather than the bank’s internal infrastructure. Similar incidents have occurred in the financial sector where marketing, analytics, or payment processing companies become the weakest link exploited by cybercriminals.
Key Cybersecurity Insights
1. Data for Sale, Not a Ransom
Unlike ransomware groups that demand direct payment from victims, BreachParty operates more like a data broker, selling stolen datasets to other cybercriminals or fraud operators. This means the data is likely to be distributed widely and permanently once purchased, increasing the risk of identity theft and financial fraud for affected customers.
2. Exposure of IBAN and Banking Information
The ING Bank data breach is particularly severe because it includes IBAN numbers and bank codes tied to real individuals. This information can be exploited for account linking, phishing, or fraudulent financial transactions. When combined with personal details like ID numbers and phone numbers, this dataset provides a complete profile for attackers to impersonate victims in banking and credit operations.
3. External Vendor Breach Risk
ING’s statement suggesting an “external” breach is consistent with third-party supply chain incidents that have plagued the financial sector. Attackers often compromise partners or service providers with weaker security measures, allowing them to access sensitive data shared during legitimate business operations. Even if ING’s internal systems remain uncompromised, the reputational and regulatory consequences can still be significant.
4. Regulatory and Legal Consequences
Under the European Union’s General Data Protection Regulation (GDPR), ING and any associated third-party vendors must report confirmed data leaks to the Agencia Española de Protección de Datos (AEPD) within 72 hours. Even if ING is not directly responsible, failure to ensure adequate third-party security could result in fines or compliance scrutiny.
Implications of the ING Bank Spain Data Breach
The data offered by BreachParty represents a serious threat to ING customers in Spain and potentially across the EU. The inclusion of ID and IBAN data makes the dataset highly valuable for financial scams. Attackers can use this information to:
- Launch phishing campaigns impersonating ING support teams
- Submit fraudulent bank applications or transactions
- Target victims for social engineering and SIM swapping attacks
- Cross-reference with other breaches to enhance identity theft profiles
Because the dataset allegedly contains multiple phone numbers and city-level information, attackers can craft personalized phishing and vishing attacks that appear extremely convincing. These attacks often bypass basic security awareness training due to the use of accurate and specific details.
Mitigation Strategies
For ING Bank and Third-Party Vendors
- Conduct an Immediate Forensic Audit: Engage digital forensics experts to trace the origin of the breach and confirm whether any third-party systems were involved.
- Review Vendor Access: Audit all external partners that process customer data to ensure compliance with GDPR security standards.
- Public Transparency: Maintain communication with affected users through official channels and issue security advisories about potential scams or fraudulent activity.
- Strengthen Vendor Agreements: Update third-party contracts to include mandatory data protection clauses and incident reporting requirements.
For Affected Customers
- Be Alert for Phishing: ING customers should treat all unsolicited calls, texts, or emails about account security with suspicion. Verify communications directly through ING’s official website or app.
- Monitor Bank Accounts: Regularly review transactions and immediately report any unauthorized activity to ING customer service.
- Enable Alerts: Turn on account notifications and two-factor authentication (2FA) wherever possible.
- Watch for Identity Fraud: Monitor credit reports for unusual activity, especially if your national ID or phone number was exposed.
The ING Bank data breach is a significant event within Spain’s financial sector and another reminder of the escalating threat posed by dark web data brokers. While ING Bank asserts that its internal systems remain secure, the exposure of over 21,000 customer records underscores the critical importance of third-party risk management in financial institutions.
Even when a company’s infrastructure is secure, its data can still be compromised through external vendors, marketing platforms, or analytics services. The rapid emergence of BreachParty as a new actor selling verified datasets also indicates that smaller, opportunistic cybercriminals are now filling the gaps left by dismantled ransomware syndicates.
Customers should remain vigilant, report suspicious activity, and avoid engaging with any unverified messages referencing ING or their financial data.
For more coverage of active data breaches and related cyber threats, visit Botcrawl.
- ClickUp Data Leak Shows $4B Came Before Customer Security for Over a Year
- Rheem Manufacturing Data Breach Claim Follows Reported INC Ransom Listing
- Polycorp Data Breach Exposes 400GB of Internal Manufacturing Data
- Uniview Technologies Data Breach Claimed by The Gentlemen Ransomware Group
- Archdiocese of St. John’s Data Breach Claim Follows Reported Qilin Listing
Related Posts
