A hack of Chain IQ has led to the leak of data on 130,000 employees of many companies, notably banking giant UBS – including its CEO.
Procurement service provider and UBS spin-off Chain IQ was reportedly attacked last week as part of a wider spate of hacks by ransomware group Worldleaks that targeted 20 companies, with 1.9 million files leaked. That included data about UBS employees, as well as information from other banks.
The incident is just the latest to target a bigger company via its suppliers or partners, with 97% of American banks hit by third-party data breaches in 2024.
"From the technical viewpoint, this incident is a grim reminder that third parties are the Achilles' Heel even of the largest financial institutions," said Dr. Ilia Kolochenko, CEO at ImmuniWeb and a Fellow at the British Computer Society (BCS).
What happened
According to a report in Swiss newspaper Le Temps, no UBS client data was stolen but information about 130,000 UBS workers was compromised – and that includes the direct phone line to UBS CEO Sergio Ermotti.
UBS didn't confirm what data was taken but did admit it was a victim in the incident. "A cyber attack at an external supplier has led to information about UBS and several other companies being stolen. No client data has been affected," UBS said in a statement to Reuters. "As soon as UBS became aware of the incident, it took swift and decisive action to avoid any impact on its operations," the statement added.
Private bank Pictet has also confirmed its data was leaked via the incident, though the information stolen did not include client data, only invoices with suppliers.
ChainIQ told Reuters that countermeasures were quickly taken, adding that the data was leaked on June 12. The company didn't share if there was a ransom demand. ITPRO contacted UBS and Chain IQ for comment but has yet to get a response.
"Long-lasting impact on Swiss banking"
ChainIQ has many big-name banks as customers, and though others haven't yet confirmed they were victims of the attack, it could prove to have serious implications for the wider industry.
"Before the exact scope of the alleged data breach is known and verified, it would be premature to make final conclusions," Kolochenko said in a statement sent to ITPRO. "However, based on the publicly available data, this data breach may have a disastrous and long-lasting impact on the Swiss banking industry, given that UBS is the largest financial institution of the country."
While no client data was lost, the information on employees that was stolen could be used by hackers in a number of ways, including future scams, fraud, and phishing attacks, with the data used to help impersonate bank employees, he said.
"The wide availability of generative AI tools, capable of impeccably impersonating voices and even videos, may certainly amplify the consequences of the data breach," he added. "Worse, some of the stolen data may be exploited to blackmail bank employees or even facilitate money laundering via sophisticated social engineering operations."
To help avert the worst of that impact, Kolochenko called for UBS to notify employees and customers of the potential risks. "From the legal viewpoint, the question of liability is complex, however, it is perfectly possible that the bank may eventually be liable to the victims for the damage suffered as a result of the attack," he added.
-
What does modern security success look like for financial services?Sponsored As financial institutions grapple with evolving cyber threats, intensifying regulations, and the limitations of ageing IT infrastructure, the need for a resilient and forward-thinking security strategy has never been greater
-
Yes, legal AI. But what can you actually do with it? Let’s take a look…Sponsored Legal AI is a knowledge multiplier that can accelerate research, sharpen insights, and organize information, provided legal teams have confidence in its transparent and auditable application
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
-
Red Hat reveals unauthorized access to a GitLab instance where internal data was copiedNews Crimson Collective has claimed the attack, saying it has accessed more than 28,000 Red Hat repositories
-
Google warns executives are being targeted for extortion with leaked Oracle dataNews Extortion emails being sent to executives at large organisations appear to show evidence of a breach involving Oracle's E-Business Suite
-
Harrods rejects contact with hackers, after 430,000 customer records stolen from third-party providerNews The luxury department store has denied any link to a failed attack on its systems in May
-
Kido nursery hackers threaten to release more details – along with the personal data of 100 employeesNews The attack is the first to be claimed by the new threat group 'Radiant'
-
Air France and KLM confirm customer data stolen in third-party breachNews A spokesperson told ITPro the airlines are investigating "fraudulent access" to customer data following a third-party breach.
-
Average Brit hit by five data breaches since 2004News While the number of breaches has fallen, the UK has been the worst-hit country in Northern Europe since 2004
-
Personal data taken in Oxford City Council cyber attacknews The personal data of election workers has been accessed, but the council says it moved quickly to limit the effects of the breach
