Santander Bank Data Breach Exposes 10,000 Spanish Customer Records

The Santander Bank data breach has exposed a database containing 10,000 customer records from Spain, allegedly stolen and sold by a dark web actor known as BreachParty. The dataset includes highly sensitive financial and personal details such as full names, national ID numbers, phone numbers, dates of birth, and IBANs. The leak was first observed on November 8, 2025, and is believed to be part of a broader series of coordinated cyber incidents targeting Spanish financial institutions.

Background on Santander Bank

Banco Santander is one of Europe’s largest and most influential financial institutions, with millions of clients across Spain, Portugal, and Latin America. The bank provides retail, business, and online banking services, maintaining large repositories of customer data across its international branches. Because of its scale, Santander has long been a target for cybercriminal groups specializing in phishing, identity theft, and financial data sales. This most recent breach appears to have compromised a sample of verified banking data, suggesting unauthorized access to a connected system or vendor.

The breach surfaced shortly after another major leak involving ING Bank, which was also attributed to the same threat actor. The timing and structural similarities between both incidents suggest an organized campaign aimed at harvesting verified financial records from Spanish customers.

Details of the Leak

BreachParty, a recurring name on several underground cybercrime forums, posted an advertisement selling a CSV database labeled “SANTANDER BANK 10.000 IBAN LEAD (ES).” The listing claims the dataset includes Spanish customer data and contains the following fields:

• Full name
• National ID number
• Date of birth
• Primary and secondary phone numbers
• IBAN and bank name

The actor shared a blurred sample of the records that aligns with known Spanish IBAN formats, adding credibility to the claim. Unlike ransomware groups that publish stolen data to pressure victims, BreachParty operates strictly as a seller, offering private sales to individual buyers through encrypted communication channels. This model limits public exposure but increases the risk of the data being quietly distributed among multiple criminal networks.

Preliminary analysis by independent cybersecurity researchers shows that the leaked records are formatted similarly to previously verified banking datasets, suggesting a direct extraction from financial or lending platforms. While Santander has not confirmed any breach, the data’s structure, including real IBAN prefixes associated with the bank, indicates a high likelihood of authenticity.

Connection to the ING Bank Breach

The Santander Bank data breach is part of a growing wave of attacks by BreachParty, which previously claimed responsibility for the theft of 21,000 records from ING Bank. Both datasets were posted within days of each other and contain nearly identical field structures, pointing to a shared compromised source such as a third-party financial service, payment processor, or analytics vendor.

Researchers believe that these recurring breaches may stem from misconfigured databases or unauthorized access through external partners that aggregate customer data for banking or marketing purposes. The frequency of these leaks has prompted calls for stronger enforcement of GDPR-compliant data handling policies across Spain’s financial sector.

Who Is BreachParty?

BreachParty is a data brokerage group that surfaced in 2024 and became known for selling financial and government datasets rather than conducting ransomware attacks. The group promotes its listings across several dark web markets and encrypted Telegram channels, offering verified “lead databases” from Europe and Latin America. Their typical method involves combining newly stolen data with fragments of previous leaks to create larger, more convincing packages for resale.

The group’s listings usually include structured metadata, consistent formatting, and clear references to specific organizations, which increases the perceived authenticity of its offers. Transactions are made through cryptocurrency, usually Bitcoin or Monero, and data delivery occurs privately to avoid exposure. In some cases, BreachParty’s datasets have been verified as real by third-party analysts, lending further weight to its credibility in the cybercrime ecosystem.

Potential Risks for Affected Customers

The leaked Santander data poses several risks to affected individuals. Even though IBANs cannot directly authorize transfers, when combined with names, IDs, and phone numbers, this information can be used for fraud and identity theft. Cybercriminals often exploit these details for targeted phishing campaigns, pretending to represent Santander’s fraud department or account verification team.

Common risks include:

• Phishing and Smishing: Attackers use text messages or emails to trick victims into revealing additional banking credentials.
• Social Engineering: Fraudsters impersonate bank staff to pressure customers into confirming transactions or account details.
• Identity Theft: Leaked national IDs and dates of birth can be used to open new accounts or apply for unauthorized loans.
• Credential Attacks: If any login or contact data overlaps with previously breached credentials, attackers may attempt direct account access.

These campaigns are often automated, with criminals sending thousands of fraudulent emails or text messages per day. Because Santander operates in multiple countries, the same dataset may also be used for cross-border scams in Portuguese- and English-speaking markets.

Technical Indicators and Verification

Cyber intelligence sources monitoring the sale have noted that the dataset follows the same naming conventions used by BreachParty in previous leaks, suggesting the data was extracted from a consistent internal structure. The CSV format and column titles match those found in verified European banking leaks shared earlier this year. This implies that the same toolset or access method was used across multiple banks.

The listing appeared on November 8 and remains active, with BreachParty responding to buyer inquiries. Analysts from multiple cyber threat monitoring platforms, including Darkfeed and Hackmanac, have confirmed that the IBANs previewed in the sample correspond to real Spanish accounts, though none of the visible identifiers appear to belong to Santander executives or public figures. Researchers are still assessing whether the breach originated from within Santander’s systems or through an affiliated third-party service provider.

Regulatory and Legal Considerations

If the authenticity of the Santander Bank data breach is confirmed, it may trigger an investigation by Spain’s data protection authority, the Agencia Española de Protección de Datos (AEPD). Under the European Union’s GDPR framework, banks and their partners are required to report any data exposure within 72 hours of discovery. Failure to do so can result in significant fines and legal action, especially when financial information and national IDs are involved.

While Santander has not issued a public statement, it is likely that internal reviews are underway. In previous incidents of similar scale, the bank has cooperated with Spanish regulators and law enforcement to identify the source of leaks and mitigate customer risk. The AEPD may also coordinate with the European Central Bank’s cybersecurity unit if it determines that the breach impacts cross-border financial systems.

Impact on the Spanish Financial Industry

Spain’s banking sector has become a recurring target for cybercriminal groups over the past year, with several incidents linked to exposed databases and unsecured web servers. Threat actors are increasingly targeting secondary data holders such as fintech startups, analytics platforms, and marketing firms that manage large volumes of financial data but lack the same level of security oversight as major banks.

The rapid succession of leaks involving Santander and ING suggests systemic weaknesses within shared data ecosystems. Once exposed, even a small dataset can be resold, merged with older information, and reused for new forms of fraud. This cycle perpetuates the long-term exposure of affected individuals, even after they change passwords or update contact details.

Experts warn that Spain may be witnessing the early stages of a coordinated data-harvesting campaign aimed at creating detailed banking identity profiles for sale on underground marketplaces. Such datasets are valuable for social engineering operations, scam call centers, and money laundering schemes conducted through European payment networks.

Protective Measures for Consumers

Customers concerned about their data being included in the Santander Bank data breach should take immediate steps to protect their financial accounts and personal information. Security experts recommend the following measures:

• Monitor bank statements for unauthorized charges or changes to account information.
• Report suspicious activity directly to Santander using official contact channels.
• Enable two-factor authentication (2FA) for all online and mobile banking access.
• Ignore unsolicited calls, texts, or emails requesting verification or payment confirmation.
• Do not share personal or banking details through links received via email or SMS.
• Regularly review credit reports for unusual activity or new credit applications.
• Scan all devices using Malwarebytes to detect any potential phishing or spyware threats.

Customers can also contact Santander to inquire whether their personal data may have been affected and request enhanced account monitoring. If verified, the bank may offer additional support or identity protection services to minimize risk.

The incident highlights the growing exposure of financial institutions to dark web data trading. Whether this breach stems from an internal compromise or a third-party vendor, it demonstrates the urgent need for tighter controls on shared data infrastructure and vendor access. As investigators continue to trace the source, Spanish customers should remain alert and take proactive steps to secure their personal information.

For verified coverage of major data breaches and the latest cybersecurity developments, visit Botcrawl for expert reporting on global cyber threats and financial data exposure incidents.