UBS hit by major data breach following cyber security incident at service provider Chain IQ

Swiss banking giant UBS said it experienced a significant data breach, following a large-scale cyber security incident affecting one of its external service providers, Chain IQ.

 

Based in Baar, Switzerland, Chain IQ is a global procurement services firm with operations in six centers and 14 offices worldwide. Its clients include UBS, Pictet, KPMG, Mizuho and more.

 

 

Recently, a threat actor claimed to have infiltrated Chain IQ’s internal network, stealing 909.6 GB of data across 1,931,396 files. The compromised data reportedly included sensitive personal information belonging to Chain IQ’s clients, including UBS.

 

Acknowledging the claims of the threat actor, a UBS spokesperson confirmed to Swiss media that the company had suffered a data breach compromising the confidential information of 130,000 UBS employees.

 

The compromised data included names, email addresses, fixed phone numbers, mobile phone numbers, hierarchy details, spoken language, codes indicating their locations and more.

 

“A cyber attack at an external supplier has led to information about UBS and several other companies being stolen. No client data has been affected.

 

“As soon as UBS became aware of the incident, it took swift and decisive action to avoid any impact on its operations,” an UBS spokesperson said.

 

Local media also reported that the leaked data included the direct internal phone number of UBS CEO Sergio Ermotti.

 

Although Chain IQ did not provide specific details about the incident, the company confirmed that it had experienced a data security breach and revealed that 19 other organisations were targeted in the cyber attack.

 

The company added that the stolen data was published on the dark web on June 12. However, it refrained from sharing details about any ransom demands or interactions with the hackers due to ongoing investigative reasons.

 

Another Swiss bank, Pictet, also confirmed a data breach linked to the Chain IQ incident. However, Pictet clarified that the stolen data did not include client information, but was limited to invoice details from some of its suppliers, including technology providers and external consultants.

 

The bank added that it takes data security incidents seriously and has established protocols and agreements to prevent unauthorised access.