Global banking giant UBS has suffered a data breach following a cyber-attack on a third-party supplier.
In a statement emailed to Infosecurity, a UBS spokesperson confirmed a breach had occurred, but it had not impacted customer data or operations.
“A cyber-attack at an external supplier has led to information about UBS and several other companies being stolen. No client data has been affected. As soon as UBS became aware of the incident, it took swift and decisive action to avoid any impact on its operations,” the UBS statement read.
Swiss-based newspaper Le Temps reported that information about 130,000 UBS employees had been published on the dark web by a ransomware group called World Leaks, previously known as Hunters International, following the incident.
This data includes business contact details, including phone number, their job role and details of their location and floor they work on.
The direct phone number of UBS CEO Sergio Ermotti was reportedly included in the published data.
UBS also confirmed to Infosecurity that the external supplier at the center of the incident was procurement service provider Swiss-based Chain IQ.
Another Chain IQ client, Swiss private bank Pictet, also revealed it had suffered a data breach as a result of the attack. Pictet said in statement published by Reuters that the information stolen did not contain its client data and was limited to invoice information with some of the bank's suppliers, such as technology providers and external consultants.
At the time of writing, it is not known whether any other Chain IQ customers have been impacted.
Attack on a Scale “Never Seen Before”
Chain IQ, along with 19 other companies, was targeted by a cyber-attack on June 12 “that had never before been seen on a global scale,” the company said in statement published on June 19.
At 17.15 CET on June 12, data from “some” Chain IQ customers were posted on the dark web.
“In connection with the cyber-attack on Chain IQ, data containing employee business contact details of selected clients were exfiltrated. These data contain the internal telephone numbers of client employees,” the company wrote.
All affected customers, employees and partner companies were informed of the incident at 20.00 CET on Thursday June 12.
Law enforcement authorities were also notified of the attack.
The firm said it took immediate measures to strengthen the security of all relevant systems after the data was published on the dark web. Chain IQ continues to work with IT infrastructure and cybersecurity outsourcing partners.
“Chain IQ takes this attack very seriously and will provide further information as soon as new findings become available,” the company added.
The company did not provide details on how the attack occurred, or whether it was ransomware related.
Potential Wide-Ranging Implications of UBS Breach
Commenting on the story, Jake Moore, global cybersecurity advisor at ESET, warned that the full impact of the breach affecting UBS and other customers may not yet be apparent.
“Although it appears no client data was taken, what we have learnt from dozens of past attacks is that the full scale of a data breach may not be fully transparent for many weeks after the initial breach so it is always advisable to keep an open mind on the potential outcome,” he explained.
James Neilson, SVP International at OPSWAT, said that the publication of employee details could be a ploy to publicly shame affected businesses, such as UBS, to increase pressure to pay a ransomware demand.
“The targeting and publication of employee details can not only result in financial damage but also jeopardise the values and reputation of the bank. Customers trust banks to safeguard their data,” he commented.
Neilson continued: “While this attack did not steal customer information, if customers fear in any way that their data is at risk, the damage to trust can be substantial. The publication of UBS’s CEO’s phone number is an example of attackers attempting to embarrass their victims and apply pressure to concede to demands.”
Dr. Ilia Kolochenko, CEO at ImmuniWeb, noted that the type of data stolen by the attackers could help facilitate follow-on social engineering attacks impersonating bank employees, particularly given the growing availability of sophisticated tools such as deepfakes.
“The wide availability of GenAI tools, capable of impeccably impersonating voices and even videos, may certainly amplify the consequences of the data breach. Worse, some of the stolen data may be exploited to blackmail bank employees or even facilitate money laundering via sophisticated social engineering operations,” he said.
Third-Party Security in the Spotlight
The incident highlights the growing threat posed by supply chain attacks, which can affect multiple downstream customers.
Following a spate of recent cyber-attacks on UK retailers, including Marks & Spencer (M&S), investigators collaborating with M&S disclosed that Scattered Spider leveraged compromised credentials from Tata Consultancy Services (TCS), a major IT outsourcing firm, to infiltrate systems.
In May, global sportswear giant Adidas revealed that customer data had been breached following a third-party attack.
This is a particular concern in the financial sector, which regulations such as the EU’s Digital Operational Resilience Act (DORA) have a big focus on.
Neilson said: “The interconnectedness of financial systems means that third-party providers will always be major targets of interest for cybercriminals aiming to compromise big banks. In highly regulated industries such as banking, it is critical that, when integrating third parties into business operations, minimum security operating standards are set, and third-party operations are audited and actively monitored.”
Image credit: nitpicker / Shutterstock.com
No tags.
