Navigating a Third-Party Data Breach: Santander’s Effective Communication Strategy

Written by: Lisa Forte

Categorized: Blog

Last week the Spanish bank, Santander, reported that they had suffered a data breach via a third party. The data was held in a database hosted by a third party provider.

A breach of a third party

The bank is the eurozone’s second largest in terms of lending and has a presence across the globe. In the case of this attack, Santander stated that only customers in Chile, Spain and Uruguay were impacted and all current serving employees along with some former employees data.

This attack follows a wave of attacks on financial services organisations all via their supply chains. In February, Bank of America warned their customers of a data breach following a ransomware attack on a third party. Then just the next month Fidelity Investments reported an almost identical attack. Then American Express notified their customers of a credit card information breach, again following an attack on a third party. This is all following last year’s attacks on MOVEit and the effect that had on financial institutions such as Deutche Bank and ING group.

In March the European Central Bank told Eurozone lenders to prepare for risks and that it will conduct a stress test on 109 banks during 2024. The ECB have been acutely aware of the supply chain cyber risks that face financial institutions and the impact that they can have.

So the attack impacting Santander raises some serious questions about the security of our supply chains along with their levels of resilience. However, instead of diving into that side of the attack I instead want to look at what Santander did well, from my perspective, and how we should be learning lessons from the “good” responses as well as the bad.


Communications: What Santander did well

The details of the attack aren’t disclosed at the time of writing so this is being based on the publicly facing communications that were put out by the bank and, as someone who works in incident response, I must say I thought they were just short of excellent.


What happened? So what? Now what?

In their statement they clearly lay out what has happened, so what– the impact of that and now what – what they are doing about it. This is a great structure to use and avoids trivialising the situation but clearly walks the reader through the steps that are being taken. They use clear language and provide it in multiple languages given the geographic spread of the attacks.


Limiting the blast radius.

Limiting the blast radius is an essential strategy for damage mitigation and the protection of your customers and employees. Santander’s comms statement points to two ways they are trying to achieve this.


Implementing additional fraud prevention controls.

Firstly they clearly reassure people that they have implemented “additional fraud prevention controls” to those impacted by the breach. Some infosec professionals commented that this was essentially just “closing the stable door after the horse has bolted”. I disagree. I think it is a responsible and proactive move given what has unfolded. Clearly there are preventive security lessons Santander and the other banks have learned in these cases but that is a separate discussion. Knowing how to implement things like additional fraud controls or credit monitoring for those impacted is not only a good way to limit the blast radius of an attack and protect people impacted but also it shows that your organisation acknowledges this is worrying to people and cares enough to try and limit that.


Attempting to mitigate the phishing risk.

The second way they did this, often seen in the comms statements of financial institutions but rarely outside of that industry, was a statement included at the end reminding customers of the phishing risk. One thing I often see organisations miss out of comms statements is the preventative advice that is just, if not more, crucial. Santander do this well, reminding customers that they will “never ask for codes, OTPs or passwords”, never click on links in phishing emails and how to report any suspicious communication. My recommendation to those of you reading this is to add a suitable version of this text to the bottom of your comms templates for cyber attacks.

Proactive customer contact

Santander also state that they are proactively contacting customers. This is a resource intensive activity but one that has a huge effect in my experience in terms of reassuring customers. There are a few industries where customer anxiety is likely to be higher than average, finance, health and legal industries being three, so proactive contact can reassure people early.



Overall, from a public comms perspective, I think Santander did a good job. They were honest, sufficiently transparent and their messages focused on reassuring customers and preventing further harm. You can’t do much better than that if you end up in these situations.

The attack itself does raise some serious questions around supply chain security. The financial services industry is not unique, this is a complex problem plaguing everyone. The attackers have clearly identified this soft spot and are devoting a significant amount of energy and resource towards exploiting it. Which means we need to do the same.

Read the full statement here:



Related Content

Key risk indicators in cyber security

Understanding key risk indicators (KRIs) in cybersecurity In the constantly evolving landscape of cybersecurity, key risk indicators (KRIs) play a crucial role in measuring and […]

Read more