Is SantanderUK compromised?

This morning I have received a special spam, the kind that warrants a blog post.

It's interesting for several reasons:

• It has my name in the Subject Header
• It came through an address that I have only given to my bank
• It uses a clever old-school trick to avoid bayesian filtering (text hidden with white fonts on a white background)
• It used Microsoft's delivery infrastructure (and therefore didn't have any problems with grey-listing)
• It uses 'sane' headers and no links (which tends to be a red-flag for spams)

As a security professional, when I see that type of targeted spam, several questions spring to mind:

• Have they sold my details? If so, where did they get my consent from?
• If not, they must have been compromised. What else have they leaked? Do they even know?

I have sent them an email this morning, asking the questions above... and will update this post with their reply.

For the curious, here is a copy of the spam from Santander.