Hackers are attempting to sell what they say is confidential information belonging to millions of Santander staff and customers.
They belong to the same gang which this week claimed to have hacked Ticketmaster.
The bank – which employs 200,000 people worldwide, including around 20,000 in the UK – has confirmed data has been stolen.
Santander has apologised for what it says is “the concern this will understandably cause” adding it is “proactively contacting affected customers and employees directly.”
“Following an investigation, we have now confirmed that certain information relating to customers of Santander Chile, Spain and Uruguay, as well as all current and some former Santander employees of the group had been accessed,” it said in a statement posted earlier this month.
“No transactional data, nor any credentials that would allow transactions to take place on accounts are contained in the database, including online banking details and passwords.”
It said its banking systems were unaffected so customers could continue to “transact securely.”
In a post on a hacking forum — first spotted by researchers at Dark Web Informer — the group calling themselves ShinyHunters posted an advert saying they had data including
- 30 million people’s bank account details
- 6 million account numbers and balances
- 28 million credit card numbers
- HR information for staff
Santander has not commented on the accuracy of those claims.
ShinyHunters have previously sold data confirmed to have been stolen from US telecoms firm AT&T.
The gang is also selling what it says is a huge amount of private data from Ticketmaster.
The Australian government says it is working with Ticketmaster to address the issue. The FBI has also offered to assist.
Some experts have said ShinyHunters’ claims should be treated with caution, as they may be a publicity stunt.
However, researchers at cyber-security company Hudson Rock claim that the Santander breach and the apparent Ticketmaster one are linked to a major ongoing hack of a large cloud storage company called Snowflake.
Hudson Rock says it has spoken to the perpetrators of the alleged Snowflake hack – who claim that they gained access to its internal system by stealing the login details of a member of Snowflake staff.
In a statement on Friday, Snowflake said it was aware of “potentially unauthorised access” to a “limited number” of customer accounts.
It said it appeared hackers had used login information to access a demo account owned by a former Snowflake employee.
That account “did not contain sensitive data,” the company said.
“We have no evidence suggesting this activity was caused by any vulnerability, misconfiguration, or breach of Snowflake’s product,” it added.