More than 12,000 U.S.-based employees of banking giant Santander had information leaked in a breach in May connected to the cloud storage provider Snowflake. 

The Spain-based bank is one of the largest in the world, reporting more than $57 billion in revenue last year. It was one of the first organizations to report a breach in the Snowflake incident, which involved a string of attacks on the storage provider’s customers.

Santander informed regulators of the breach on Wednesday, warning that the information of 12,786 employees was accessed during an incident the company believes began on April 17.

The bank said it learned of the breach on May 10 after discovering that hackers had accessed records from a third-party database used by one of its affiliates. 

“Santander’s investigation subsequently determined that the records contained certain Company employee’s personal information that may have included your name, Social Security number, and bank account information used for direct deposit for payroll,” the breach notification letters said. 

Victims are being given two years of free identity protection and credit monitoring services. 

On May 14, the bank said: "No transactional data, nor any credentials that would allow transactions to take place on accounts are contained in the database, including online banking details and passwords."

A group of hackers known as ShinyHunters has claimed to have 30 million people’s bank account details, along with 28 million credit card numbers. Their claims have not been verified.

Los Angeles school district says student data stolen from Snowflake   

Since Santander disclosed the incident, a handful of large companies — including Ticketmaster, Advance Auto Parts, LendingTree and more have come forward as victims of the hacking campaign against Snowflake — which has repeatedly said investigations have not found any issue with their platform’s security. 

Some public organizations have also identified incidents. A spokesperson for the Los Angeles Unified School District told Recorded Future News on Thursday that its recently announced breach was connected to the campaign against Snowflake.

“Through its extensive and ongoing investigation, the District has determined that the data in question was maintained by one or more Los Angeles Unified external vendors on Snowflake, a cloud-based platform used for mass data storage, and appears to have been stolen in a manner consistent with recently publicized thefts involving numerous Snowflake accounts,” the spokesperson said. 

“So far, the District’s ongoing investigation has revealed no evidence of any compromise to our systems or networks; however the investigation into the scope and extent of the data impacted is ongoing. Los Angeles Unified is continuing to engage with the FBI, CISA, its vendors, and consultants in furtherance of this investigation.”

Hackers claimed two weeks ago that they had breached the systems of the Los Angeles Unified School District and stole millions of records on students and teachers. 

Snowflake hired security firms Mandiant and Crowdstrike earlier this month to investigate the issue and both confirmed that the attacks — which affected approximately 165 organizations — were sourced back to stolen credentials previously purchased or obtained through infostealing malware.

Mandiant said the hacking group behind the campaign is “based in North America, and collaborates with an additional member in Turkey.” The hackers, according to Mandiant, stole credentials dating back to 2020 that were still in use. 

A hacker that has tried selling information stolen purportedly from companies through Snowflake has continued to hawk the data on cybercriminal forums this week, offering information from Ticketmaster, Advance Auto Parts and other companies in recent days for millions in ransoms.

Snowflake said it planned to close its investigation into the incident last week.