On the 5th of November 2013, I received 4 scam emails from "[The Federal] Tax Service" (containing a trojan executable) to an email address that has only ever been given to Santander (and is indeed unique to Santander, given that it has their name in it).
Some people will claim that this was caused by a brute force or dictionary attack and that it is a co-incidence that it only went to my Santander email address. The advantage of running my own email servers is that I can check the logs and see what other email was rejected. There were 4 rejected attempts to send email the day before to this address but nothing before that. On average there were 2 email attempts per day in November to completely unknown recipients, following a dictionary attack pattern. No one performs a brute force attack on email recipients, that would be ridiculous and take forever at the rate of 2 per day.
As reported by The Register in
Oi, bank manager. Only you've got my email address - where're these TROJANS coming from?, I wasn't the only person to have this issue which implies that a number of other customers have had their personal data leaked too. Unfortunately in the UK the only practical way to enforce our data protection laws is by reporting issues to the ICO, and as usual they decided to do nothing.
Responses from Santander Executive Complaints
I complained to Santander about this issue and received nonsense back every time:
Firstly I would like to apologise for the misunderstanding of your previous complaint, that the emails you were receiving were from someone claiming to be Santander. I now understand that this is not the case and you are unhappy with an email you received claiming to be from "The Federal Tax Service" addressed to an email account used specifically for Santander and you would like to understand how this email address was obtained by the third party.
As I confirmed within my letter of 3 January 2014, Santander has never supplied your personal details to an unauthorised third party. However, I can confirm that our Security Team were highlighted to attempts by third parties trying to obtain a large proportion of customer related emails who used a specific email address for their Santander accounts.
attempts ... to obtain ... customer related emails (sic) who used a specific email address for ... Santander could be the plot for a movie because it's pure fiction. It's also amazing what Santander can know about these "attempts" that were supposedly unsuccessful.
Thank you for coming back to me. I can confirm we detected the attempt to obtain personal details in time to ensure preventative measures were in place and as advised within my letter our IT and Security Team are aware that the National Crime Agency's National Cyber Crime Unit (NCCU) are working hard to identify the source.
Please be assured, none of your personal data has been stolen or compromised, the only data obtained was the Santander specific email address, which I understand you have now changed, to a more secure address.
So my personal data hasn't been stolen except for my email address which is personal data!?
Santander email practices
Reviewing all the legitimate email received from Santander, it either comes direct from servers owned by Santander UK PLC (relating to my account) or it's a general marketing email in which case it comes from servers owned by Marketing Source Limited (from the domain "yoursantander.co.uk" because nothing says trustworthy like using separate unverifiable domains to email your customers!).
It's possible that the personal data leak occurred from within Santander or within Marketing Source. Both companies have the personal data of customers (including postcodes used to "authenticate" the email). What's interesting is that all the general marketing email up to August 2013 (before the spam started) comes from "firstname.lastname@example.org" and all such email from June 2014 (after the spam started) comes from "email@example.com", so Marketing Source have changed something in that time period.
The long-term effect
What happens when you leak customers' email addresses to third parties? They receive junk email to that address forever. At its peak this was on average 4 emails per day but it has reduced to 1 every 3 days, as this graph illustrates: