UBS and Pictet have recently confirmed data breaches stemming from a cyberattack on their third-party service provider, Chain IQ. The incident, attributed to the hacker group “World Leaks” (formerly Hunters International), has resulted in the exposure of sensitive information, primarily impacting employee data for UBS and supplier invoice data for Pictet. Both financial institutions have assured that no client data was compromised in the attack.
The breach on Chain IQ, a procurement services firm that was spun off from UBS in 2013, reportedly led to the theft of files containing details of tens of thousands of UBS employees.
This information is said to include employee names, email addresses, phone numbers, roles, office locations, and even the direct phone number of UBS CEO Sergio Ermotti. The stolen data was subsequently published on the darknet.
Pictet, another client of Chain IQ, also confirmed being affected, stating that the leaked information was limited to invoice data involving certain suppliers from recent years and did not contain any client data. Chain IQ has acknowledged the cyberattack, noting that it and 19 other companies were targeted.
The company stated that it has taken prompt steps and countermeasures to contain the situation but could not disclose details on ransom demands or interactions with the attackers due to ongoing security and investigative reasons.
This incident underscores the increasing cybersecurity risks associated with third-party vendors, a concern that Switzerland’s financial markets regulator FINMA has repeatedly highlighted. FINMA reported a nearly 50% surge in successful cyberattacks on Swiss financial institutions in 2024 compared to the previous year, emphasizing the vulnerability introduced by reliance on external providers.
The European Central Bank has also cautioned that many banks still need to enhance their defenses against mounting cyber threats.
While both UBS and Pictet have moved swiftly to mitigate the impact and reassure their clients, the breach serves as a stark reminder of the interconnected nature of modern business ecosystems and the critical importance of robust supply chain cybersecurity measures.
