Feeds

ICO decides against probe of Santander email spam scammers

Not enough 'evidence' ... while readers insist unique-to-bank addresses used

The Essential Guide to IT Transformation

Santander customers say they are continuing to be deluged with Trojans and other junk to email addresses exclusively used with the bank months after the problem first surfaced back in November.

At least two Reg readers have put in complaints to the Information Commissioner's Office. But the data privacy watchdog told us that it has "insufficient evidence" to proceed with an inquiry.

The bank said it was investigating the complaints back in December amidst fears of an email database leak either at the bank or (more likely) one of its third-party marketing affiliate partners. Santander has not responded to repeated requests from El Reg for an update on its inquiry.

Independent experts previously told El Reg that fingering the source of this type of possible leak can be difficult if not impossible, scant consolation for the multiple Santander customers at the receiving end of the ongoing junk torrent.

This issue first surfaced last November. A Trojan was being distributed to private email addresses that should only be known by various institutions including Santander Bank, the UK Government Gateway and NatWest FastPay service. The attacks were first detected by Belgian security firm MX Lab.

Attacks against unique email addresses registered with Santander bank have continued since, giving rise to concerns that the bank may have had a data breach. Some of the emails feature the surname of recipients, a piece of information not included in the unique email address itself of one affected customer.

"I've received an invite for what looks to be a 'money mule' job sent to the leaked email address ... but rather scarily the subject field is populated with my SURNAME (which doesn't form any part of the email address)," Santander client Andrew told El Reg

"So it appears rather likely that REAL NAMES leaked with the email addresses. This takes the leak to a whole new level. I wonder whether phone numbers and addresses leaked too?"

A discussion thread on UK financial advice website Money Saving Expert suggest several other people have received MVL money-mule spam with their surname in the subject line (copy of MVL spam email via Pastebin here). The issue has also been raised on Santander's Facebook page, giving rise to allegations that Santander either sold on the data to unscrupulous marketeers or somebody got hacked.

There's no suggestion that there's any problem with Santander's online banking system. Instead the issues centres on unaddressed fears that email addresses supplied to the bank somehow leaked out. It's possible (though we think unlikely) that recipients of spam made a mistake themselves that exposes their unique email address to unwanted attention. These mistakes might potentially include re-using the unique email address elsewhere or responding to a phishing attack.

This kind of explanation becomes more and more implausible the more people report the problem. Understandably recipients of the spam email are becoming increasingly frustrated.

"I've had a similar experience with a unique address given only to Santander which has since been used by a spammer," Santander customer Mark explained. "I tried complaining to the bank but they dismissed my complaint and almost blamed me as there was no proof.

"I then took the matter up with the Information Commissioner but they said I has to contact the spammers and ask them where they got the email address from," he claimed. "I just gave up at that point," he added.

A representative of the ICO told El Reg that the data privacy watchdog never advises complainants to contact scammers, implying some kind of miscommunication or misunderstanding between it and the aggrieved Santander customer.

When we receive a complaint that an organisation has breached the Data Protection Act or the Privacy and Electronic Communications Regulations, we will make enquiries before considering whether any further action is required.   In order to do this we need sufficient information to take the case forward. However, we would not advise individuals to contact those sending emails that are clearly scams.

Pressed on how it was handling complaints about junk mail going to email addresses uniquely registered with Santander the ICO said it didn't have "sufficient evidence" to run an investigation.

"We have received some complaints relating to this matter, but we have not received sufficient evidence to take our enquiries further," an ICO spokesman told El Reg. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.