One whistleblower claims that Santander’s online banking “unnecessarily stores sensitive information within cookies”. Depending on which areas of online banking the customer uses, he claims this data allegedly includes the user’s name, credit card number, bank account number and sort code, and UserID.
“Of particular concern is the full credit card number, which regulations state should be rendered unreadable anywhere it is stored,” he said.
Santander has strongly denied the allegations, maintaining that data stored in its cookies posed no risk to account security.
It said: “The data items stored within our cookies, if compromised, would not allow access to our online services on their own and our primary login processes do not rely on cookie data.
“We review the use of our cookies and the data contained within them, and if necessary will review the IDs used by our customers to limit any future risks.We take the security of our customer data very seriously.”
The blogger argues that Santander’s handling of cookies does pose a risk, in cases where customers fail to close their browser after an e-banking session.
“Any user who does not close their browser, even if they log out correctly, will still have these cookies present until they close their browser, increasing the window for exposure.”
To leave a comment please register – it takes less than a minute and is free of charge. You will also get our weekly email update The DM Report (to opt out contact firstname.lastname@example.org). If you are an existing user, please log in. If you have forgotten your log-in details please email email@example.com to get them reset!