I am one of the people affected/complaining
I started receiving the virus spam emails in November and immediately started a complaint. Allow me to share some of my insight/experience.
The article discusses a number of sources of the leak and the user could possibility. I did consider this as I can be a numpty but:
1) I started getting virus spams to two unique email addresses on the same day.
2) This was shortly after the Adobe breach in November 2013.
3) I have a whole raft of unique addresses and I was only getting spam virus emails to two of them
4) The email address was not "Santander" or anything that could be guessed (really).
My guess it was the same crew that took the addresses from both Santander and Sportsbikeshop.co.uk. If I was to get a free bet I would suspect (as I used to work in Direct Marketing for a bank now "eaten" by Santander) that an external agency using Adobe products and the same password everywhere is to blame.
It took me some time to get my complaint listened to. Their Data Protection Officer wasn't having anything to do with me (FFS, What is their purpose!) and I had to raise three complaints before Santander "engaged".
However since "engaging" the poor Scottish chap dealing with the complaint has been great. You couldn't fault him. If you're reading this mate then I owe you a pint.