Santander has been accused of including highly sensitive data in cookies served on its UK website, sparking fears that users’ details could be compromised.
One whistleblower claims that Santander’s online banking “unnecessarily stores sensitive information within cookies”. Depending on which areas of online banking the customer uses, he claims this data allegedly includes the user’s name, credit card number, bank account number and sort code, and UserID.
“Of particular concern is the full credit card number, which regulations state should be rendered unreadable anywhere it is stored,” he said.
The source alleges that Santander is violating its own cookie policy, which states that session cookies “do not contain personal information, and cannot be used to identify you” as well as the credit card industry’s PCI DSS regulations.
Santander has strongly denied the allegations, maintaining that data stored in its cookies posed no risk to account security.
It said: “The data items stored within our cookies, if compromised, would not allow access to our online services on their own and our primary login processes do not rely on cookie data.
“We review the use of our cookies and the data contained within them, and if necessary will review the IDs used by our customers to limit any future risks.We take the security of our customer data very seriously.”
The blogger argues that Santander’s handling of cookies does pose a risk, in cases where customers fail to close their browser after an e-banking session.
“Any user who does not close their browser, even if they log out correctly, will still have these cookies present until they close their browser, increasing the window for exposure.”