Swiss banking giant UBS Group AG has confirmed a significant data breach affecting approximately 130,000 of its employees, following a cyberattack on its third-party procurement service provider, Chain IQ Group AG.
The incident, attributed to the cybercrime group “World Leaks” (formerly “Hunters International”), highlights the escalating risks posed by supply chain vulnerabilities in the financial sector.
The breach, which Chain IQ confirmed impacted them and 19 other organizations, resulted in the theft and subsequent publication of sensitive employee data on the dark web on June 12.
The exposed information includes employee names, email addresses, fixed and mobile phone numbers, roles, office locations, and preferred languages. Notably, reports indicate even the direct internal phone number of UBS CEO Sergio Ermotti was compromised.
UBS was quick to emphasize that no client data has been affected by the incident. “As soon as UBS became aware of the incident, it took swift and decisive action to avoid any impact on its operations,” a UBS spokesperson stated.
Chain IQ, a firm spun off from UBS in 2013, handles procurement services for various major institutions globally. Unlike traditional ransomware attacks that encrypt data, World Leaks specializes in data exfiltration, threatening public release if ransoms are not paid.
While Chain IQ has acknowledged the breach, it has refrained from disclosing the full extent of the stolen data or naming all affected clients due to ongoing investigations. Swiss private bank Pictet has also confirmed a data breach linked to the Chain IQ incident, although they stated it was limited to invoice details and did not involve client information.
Cybersecurity experts are warning of potential long-term implications for the Swiss banking sector. The leaked employee data could be exploited for sophisticated social engineering attacks, impersonation, fraud, phishing scams, or even blackmail.
The increasing availability of generative AI tools further amplifies these risks through realistic voice and video impersonation, potentially aiding in money laundering and other illicit activities.
This incident serves as a stark reminder of the critical importance of robust third-party cybersecurity risk management. Regulators, including Switzerland’s financial markets regulator FINMA, have consistently cautioned about the “key operational risk” posed by reliance on external providers.
As investigations continue, the focus remains on mitigating the potential fallout for affected UBS employees and strengthening defenses against such evolving cyber threats.
