Madrid, mid-May 2024. Banco Santander issues a brief statement. The bank confirms unauthorized access to a database held not on its own servers, but by an external cloud vendor. It's a textbook case of what file-centric DLP is built to address: the breach didn't happen inside the perimeter. The perimeter was never the point. Two weeks later, a listing appears on BreachForums: millions of customer records, price tag $2 million.
What you need to know in 30 seconds
Banco Santander is Spain's largest bank and one of the ten biggest globally by market cap: 200,000 employees, over 8,500 branches, more than 165 million customers. On May 14, the bank acknowledges that an unauthorized third party accessed a database held by a vendor, with the incident primarily affecting customers in Spain, Chile, and Uruguay. In subsequent weeks it emerges that U.S. employees were also affected, with Social Security Numbers and payroll banking data exposed.
On May 30, the cybercriminal group ShinyHunters posts a listing on BreachForums: 30 million customer records, 28 million card numbers, 6 million account numbers and balances, citizenship data, HR lists. Asking price: $2 million. The 30-million figure is disputed: Santander's Q1 2024 financial report declared fewer than 20 million customers across the affected countries. The substance doesn't change. For weeks, the bank had no precise picture of what had actually left its custody.
The incident is not isolated. Subsequent reconstruction links it to a campaign that hit over 160 organizations using the Snowflake cloud data platform, through credentials stolen by infostealers against tenant configurations that didn't enforce MFA. Other documented victims include AT&T, Ticketmaster, LendingTree, and Advance Auto Parts.
The failure point was not inside Santander. It was a database sitting with a SaaS vendor. Legal and regulatory responsibility, however, never left the bank. Five gaps are visible.
No MFA on cloud vendor tenants. The vendor offered multi-factor authentication as an option, not a mandatory default. Access credentials ended up in infostealer catalogs (Lumma, RisePro, RedLine), sold for between $1,000 and $3,000. Without MFA, one stolen credential is a universal key. Zero Trust principles, on the customer side, were not enforced.
GDPR Article 28 honored in form, not substance. The cloud vendor operated as a data processor. The bank, as data controller, retained full responsibility for personal data hosted elsewhere. The outsourcing contract should have mandated minimum technical and organizational requirements: mandatory MFA, geographic segregation, periodic audits, Article 33-compliant notification timelines, verified in practice, not collected as declarations.
No segregation by geography or purpose. The compromised database held customers from three countries and employees from a fourth, in a single instance. GDPR Article 5's minimization principle requires limiting storage to what is necessary for the stated purpose. Concentrating millions of data subjects in one asset, accessible through single-set credentials, multiplies the blast radius by orders of magnitude.
DORA applied in retrospect. The Digital Operational Resilience Act (EU Reg. 2022/2554) became fully applicable on January 17, 2025, months after the incident. The 2022 text already described the Santander scenario precisely: a registry of critical ICT vendors, preliminary risk assessment, ongoing monitoring, documented exit strategy. The same framework is reinforced in Italy through Banca d'Italia Circular 285 on data governance and outsourcing.
No visibility into personal data mapping. The first regulatory prerequisite is knowing what data exists, where it lives, and who has access. In Santander's case: the initial disclosure referenced "some customers"; the subsequent statement added U.S. employees; the criminal's listing claimed 30 million records. Three different estimates in two weeks. The bank had no real-time picture of what the vendor was holding on its behalf.
To size the risk: the Verizon 2026 DBIR puts third-party involvement in breaches at 48%, up from 30% the year before. The IBM Cost of a Data Breach Report 2025 puts the global average breach cost at $4.44 million, with third-party vendor and supply chain compromise averaging $4.91 million, second only to malicious insider attacks at $4.92 million. Finance remains among the most exposed sectors by data value.
The Santander incident is a textbook failure of perimeter DLP. No firewall, no antivirus, no protected network plays any role when a legitimate credential authenticates against a third-party cloud. The data is already outside the perimeter.
The right question is not "how do I block access," but "what becomes worthless if access gets through regardless." That's the shift that separates perimeter protection from file-centric DLP: you stop defending the exit and start securing the file at the moment it's created. CyberGrant sits alongside a bank's existing security stack. It does not replace it. It closes the gap the stack was never designed to cover.
FileGrant places every document inside a natively encrypted vault using Lock&Go quantum-proof technology (CRYSTALS-Kyber, NIST post-quantum standard FIPS 203, ML-KEM). The protection travels with the file: inside the bank, outside it, on a vendor's cloud, shared with a third party. Even when a file is exfiltrated from a processor's environment, it leaves in encrypted form and stays that way.
The same records offered on BreachForums would have been obtainable even with FileGrant active. They would have been worthless. The real security measure is not blocking the access. It's ensuring that what gets taken can't be used. An exfiltrated encrypted file is not a commercial breach. It's a block of bytes with no market value.
The Santander attack vector was a stolen, reused credential. SecretGrant is a module built into FileGrant that treats corporate credentials, including those used to authenticate against external vendors, as security assets on par with documents: an encrypted vault, role-based segregation, access granted only to explicitly authorized users. For critical vendor tenants, policy can enforce automatic rotation, scheduled expiration, an additional passphrase on sensitive credentials, and a log of every access event. A credential captured by an infostealer is no longer enough, because the layer behind it is not user-negotiable.
AIGrant is a private, on-premise AI that automatically indexes, classifies, and tags corporate documents by content: sensitivity level, departmental segregation, access tracking, anomaly alerting by volume, time of day, or geographic origin. The critical blind spot in this case was data mapping. No one inside the bank knew in real time how many sensitive records were sitting in that database, belonging to which subjects, under which data categories. AIGrant closes that gap before an incident, not after.
AIGrant also blocks automatic scraping by public AI systems, so an employee who pastes a dataset to get analysis help cannot feed an external LLM. The bank stops discovering after the incident what the vendor was holding. It knows beforehand, automatically, in classified form, with every access logged.
AIGrant sits on top of FileGrant's encryption layer: the same CRYSTALS-Kyber quantum-proof protection applies to every document the AI indexes. Private means private through the full stack.
CyberGrant does not make the attack impossible. It makes the attack worthless.
Regulatory responsibility cannot be delegated to the vendor. You can delegate operations. You cannot delegate the obligation. GDPR Article 28 is unambiguous, and DORA, in force since January 17, 2025, amplifies it: a mandatory registry of critical ICT vendors, standard contract requirements, continuous monitoring, documented exit strategies. When the vendor fails, the data controller faces the sanction. For a broader look at how these three trends converge in 2026, see our article Cybersecurity 2026: three trends reshaping the CISO agenda.
MFA is not a contractual option. It is a contractual default. Every agreement with a processor holding personal data must impose mandatory MFA, geographic segregation, credential rotation schedules, and verifiable periodic audits. A clause that reads "the vendor implements adequate security measures" does not pass scrutiny.
Protection travels with the data, not with the network. The bank's logical perimeter ends at the first line of the vendor's code. Everything sitting in a processor's cloud must be natively encrypted at creation. If it isn't, a breach is a question of timing, not probability.
Visibility before compliance. GDPR Article 5 cannot be satisfied if the bank doesn't know what data exists in its repositories, including those held by third parties. Data mapping is the prerequisite, not the final deliverable.
Regulatory liability stays with the data controller, meaning the bank, even when the data is physically hosted by a vendor acting as a processor under GDPR Article 28. Outsourcing transfers operations, not the protection obligation. For the banking sector, DORA (EU Reg. 2022/2554) and Banca d'Italia Circular 285 additionally require a registry of critical ICT vendors and ongoing monitoring.
No. Perimeter DLP and firewalls have no role when a legitimate credential authenticates against a third-party cloud. The data is already outside the corporate perimeter. Effective protection in this scenario is file-centric: it lives inside the file itself through native encryption that persists after exfiltration, regardless of where the file ends up. See how FileGrant features address this gap.
It means encrypting data at creation, so the protection follows it wherever it goes: on bank servers, on a vendor's cloud, on a remote device, shared with a third party. An exfiltrated file stays encrypted and unreadable without the key, which the bank holds on-premise. Security is not measured by blocking access. It's measured by what remains in the hands of whoever gets access.
Because of the "harvest now, decrypt later" logic: an attacker can exfiltrate encrypted data today and decrypt it in the future, once quantum computers make current algorithms vulnerable. Banking data has a long lifecycle. CyberGrant encrypts with CRYSTALS-Kyber, the NIST-recognized post-quantum standard (FIPS 203, ML-KEM, August 2024), to protect data against this deferred threat. For the broader strategic picture, read Cybersecurity 2026: quantum threats and what CISOs must do now.
You need a granular audit trail documenting who accessed which data, when, and from where. With that traceability, the GDPR Article 33 breach notification and DORA reporting obligations rest on verifiable facts, not estimates. Automatic classification of sensitivity levels means the bank knows what is exposed before an incident, not after. AIGrant provides this layer of continuous visibility.
Sources