Cyber Incident Victim: Banco Santander Mexico
Date:
Jan 2021
Location:
Mexico
Summary
A threat actor leaked data of 10,000 Mexico-based American Express credit cardholders on a hacker forum, exposing full account numbers and personally identifiable information including names, addresses, phone numbers, dates of birth, and gender. The actor also claimed to possess and sell additional data from Santander and Banamex customers. While sensitive financial details like expiration dates or passwords were absent, the exposed information could facilitate spam campaigns or targeted phishing attempts leveraging the compromised personal details. The financial institution acknowledged awareness of the incident and emphasized existing fraud monitoring systems, assuring customers they would not be liable for unauthorized transactions. The breach primarily risked misuse of customer data for marketing or social engineering rather than direct financial fraud.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around January 5, 2021, a threat actor publicly leaked a dataset containing 10,000 Mexico-based American Express credit cardholder records on a hacker forum. The leaked information included full credit card account numbers alongside extensive personally identifiable information (PII) such as customer names, full addresses, phone numbers, dates of birth, and gender. Threat intelligence analyst Bank Security identified the leak, and BleepingComputer verified the exposed data through analysis of a posted spreadsheet sample. The actor simultaneously advertised the sale of additional Mexican banking customer data, explicitly naming Santander and Banamex alongside American Express in their forum post. Notably, the leaked American Express data did not contain credit card expiration dates, passwords, or highly sensitive financial details that could directly facilitate fraudulent transactions. The threat actor asserted in the forum thread that their intent was limited to enabling spam or marketing activities, stating they did not sell private data like passwords or ID numbers.
American Express confirmed awareness of the incident and stated they were monitoring the situation but neither confirmed nor denied a breach when contacted by BleepingComputer. The company emphasized that cardholders bore no liability for fraudulent charges and referenced existing monitoring systems and safeguards designed to detect suspicious account activity. American Express advised affected customers to review statements for unauthorized transactions and remain vigilant against targeted phishing attempts that might leverage exposed PII or partial card details to appear credible. The article did not disclose any specific statements, actions, or acknowledgments from Santander regarding the threat actor’s separate claim of possessing its customer data. No further details about the Santander-related aspect of the advertisement, such as data volume, content, or verification status, were provided in the source material.