The details of about 130,000 UBS staff were leaked after a cyber attack on a procurement service provider used by the Swiss banking giant.
A private bank in Switzerland, known as Pictet, was also affected by the cyber attack on Chain IQ earlier this month, which saw hackers steal employee information.
The hack, which included the theft of the UBS CEO’s direct phone number, was first reported by Swiss newspaper Le Temps.
UBS said in a statement: “A cyber attack at an external supplier has led to information about UBS and several other companies being stolen.”
The bank added that no customer data was affected. “As soon as UBS became aware of the incident, it took swift and decisive action to avoid any impact on its operations,” continued the statement.
Swiss private bank Pictet, also a Chain IQ customer, said customer data was not stolen.
Chain IQ, which is also headquartered in Switzerland, said the data was published on the afternoon of 12 June, but it could not provide further information for security and investigative reasons.
While banks invest heavily in security, third-party suppliers are potential weak links, which can be used by hackers to gain access to systems.
According to a report from SecurityScorecard, 96% of Europe’s largest financial services organisations have been affected by a security breach at a third-party organisation in the past two years.
This was 25% higher than when the same survey was carried out two years ago.
The risk management company analysed the top 100 finance firms in Europe, in terms of assets under management, and found that 96% had suffered at least one third-party breach in the past year. This was compared with 78% in the previous report two years earlier.
It also revealed that 97% had experienced a breach via a fourth party – the partners of their partners – which was up from 84% two years ago. A total of 7% suffered a direct breach, down from 8% in the 2023 report.
According to the report, Switzerland recorded the most third-party breaches, with an average of about 172 per firm, followed by the Netherlands (148) and the UK (136).
One senior security professional, who has 30 years’ experience in the UK banking sector, said attackers target multiple technologies in a highly interconnected industry.
“You’re reliant on software from multiple different suppliers, and it’s the weakest link that’s going to take you down, and that could be anywhere,” he said.
The source, who is familiar with the checks made by banks such as UBS, added: “After banks have done due diligence and bought products and services, they have no control over the suppliers’ day-to-day activity and cannot see what is happening. After they have acquired the service, they are reliant on the supplier’s security.”
The source said this type of data loss will continue to happen because “all sorts of systems, including administrative systems, are supplied to banks by third parties”.
He added: “For example, almost all banks use third-party systems for their human resources systems, which hold personal employee data.”
