A hack of Chain IQ has led to the leak of data on 130,000 employees of many companies, notably banking giant UBS – including its CEO.
Procurement service provider and UBS spin-off Chain IQ was reportedly attacked last week as part of a wider spate of hacks by ransomware group Worldleaks that targeted 20 companies, with 1.9 million files leaked. That included data about UBS employees, as well as information from other banks.
The incident is just the latest to target a bigger company via its suppliers or partners, with 97% of American banks hit by third-party data breaches in 2024.
"From the technical viewpoint, this incident is a grim reminder that third parties are the Achilles' Heel even of the largest financial institutions," said Dr. Ilia Kolochenko, CEO at ImmuniWeb and a Fellow at the British Computer Society (BCS).
What happened
According to a report in Swiss newspaper Le Temps, no UBS client data was stolen but information about 130,000 UBS workers was compromised – and that includes the direct phone line to UBS CEO Sergio Ermotti.
UBS didn't confirm what data was taken but did admit it was a victim in the incident. "A cyber attack at an external supplier has led to information about UBS and several other companies being stolen. No client data has been affected," UBS said in a statement to Reuters. "As soon as UBS became aware of the incident, it took swift and decisive action to avoid any impact on its operations," the statement added.
Private bank Pictet has also confirmed its data was leaked via the incident, though the information stolen did not include client data, only invoices with suppliers.
ChainIQ told Reuters that countermeasures were quickly taken, adding that the data was leaked on June 12. The company didn't share if there was a ransom demand. ITPRO contacted UBS and Chain IQ for comment but has yet to get a response.
"Long-lasting impact on Swiss banking"
ChainIQ has many big-name banks as customers, and though others haven't yet confirmed they were victims of the attack, it could prove to have serious implications for the wider industry.
"Before the exact scope of the alleged data breach is known and verified, it would be premature to make final conclusions," Kolochenko said in a statement sent to ITPRO. "However, based on the publicly available data, this data breach may have a disastrous and long-lasting impact on the Swiss banking industry, given that UBS is the largest financial institution of the country."
While no client data was lost, the information on employees that was stolen could be used by hackers in a number of ways, including future scams, fraud, and phishing attacks, with the data used to help impersonate bank employees, he said.
"The wide availability of generative AI tools, capable of impeccably impersonating voices and even videos, may certainly amplify the consequences of the data breach," he added. "Worse, some of the stolen data may be exploited to blackmail bank employees or even facilitate money laundering via sophisticated social engineering operations."
To help avert the worst of that impact, Kolochenko called for UBS to notify employees and customers of the potential risks. "From the legal viewpoint, the question of liability is complex, however, it is perfectly possible that the bank may eventually be liable to the victims for the damage suffered as a result of the attack," he added.
-
Tenable report shows that organizations are failing to configure storage effectively – and may have a false sense of securityNews Nearly one-in-ten publicly accessible cloud-storage buckets contain sensitive data, almost all of it highly private
-
Scania admits leak of data after extortion attemptNews Hacker stole 34,000 files from a third-party managed website, trucking company says
-
23andMe 'failed to take basic steps' to safeguard customer dataNews The ICO has strong criticism for the way the genetic testing company responded to a 2023 breach.
-
European financial firms are battling a huge rise in third-party breachesNews Growing vendor dependency has contributed to a marked rise in third-party breaches
-
More than 5 million Americans just had their personal information exposed in the Yale New Haven Health data breach – and lawsuits are already rolling inNews A data breach at Yale New Haven Health has exposed data belonging to millions of people – and lawsuits have already been filed.
-
‘It’s your worst nightmare’: A batch of €5 hard drives found at a flea market held 15GB of Dutch medical records – and experts warn it could’ve caused a disastrous data breachNews Robert Polet made a startling discovery after finding hard drives on sale for €5 each in a flea market.
-
850,000 patients may have been affected in the Globe Life breach after firm revises victim listNews US insurer Globe Life has revealed more than 850,000 patients may have been impacted in a data breach after initially believing only around 5,000 were impacted.
-
HPE confirms data breach probe after IntelBroker claimsNews IntelBroker claims to have stolen HPE source code in the breach
-
Cloud security fears, rising costs, privacy concerns?Whitepaper The factors driving the demand for on-premises infrastructure
-
Advanced email securityWhitepaper Protect against advanced email threats, streamline operations, and get actionable visibility into people risk and your threat landscape
