A wake-up call for Swiss Banking Cybersecurity
A shocking cyberattack has compromised highly sensitive data from UBS, Pictet, and other major companies through their supplier, Chain IQ. Over 130,000 UBS employees had personal information stolen, including the direct line of UBS CEO Sergio Ermotti. For Steven Meyer, Co-CEO of ZENDATA Cybersecurity, this breach is a painful reminder: cybersecurity isn’t just about firewalls and endpoints. It’s about understanding and managing the risk exposure of your entire supply chain.
What happened: Data Breach overview
Chain IQ, a Swiss procurement and service provider based in Zug, suffered a massive data breach in early June. The attackers, a group known as “World Leaks”, published internal files on the dark web. Among the exposed documents:
-
An Excel file with data on 137,000 UBS employees, including phone numbers, job roles, office locations, and even the internal number of CEO Sergio Ermotti.
-
A second file with 230,050 lines of billing data involving Pictet, detailing expenses like grocery shopping, hotel stays, and even pottery purchases.
-
Lists of hundreds of companies either directly or indirectly linked to Chain IQ, including Swiss Life, IBM, and Swisscom.
While both UBS and Pictet assured that no customer data was involved, the scale of the breach underlines the systemic vulnerability introduced by third-party providers.
Compliance isn’t resilience
For Steven Meyer, Co-CEO of ZENDATA Cybersecurity, “this attack illustrates once again how supplier risk is one of the most complex threats to manage”. According to him, the trust placed in supplier certifications or compliance audits is dangerously overestimated.
“Too often, a certification is seen as a cybersecurity shield. But certifications don’t defend against real-world attacks.”
– Steven Meyer.
Instead, Steven Meyer urges companies, especially financial institutions, to adopt a more active, strategic approach.
That includes:
-
Requiring regular penetration tests from high-risk suppliers
-
Demanding evidence of remediation and continuous improvement
-
Mapping critical dependencies and aligning security obligations with potential business impact
“There’s no perfect solution,” Steven Meyer admits, “but cybersecurity isn’t a service you outsource. It’s a shared responsibility.”
The Supplier Blind Spot
This incident shows how indirect threats can bypass even the most security-conscious companies. Once a non-disclosure agreement is signed, companies often share massive amounts of internal data with suppliers. If those suppliers lack the maturity or tools to defend themselves, the original company becomes the one exposed.
In this case, neither UBS nor Pictet failed to secure their own systems. But their reliance on Chain IQ, without fully verifying its operational security posture, led to reputational and security damage nonetheless.
The core lesson: shift from Compliance to Risk Governance
The Chain IQ breach should trigger a shift in how organizations approach cybersecurity in vendor relationships. As Steven Meyer points out, resilience isn’t a box you tick. It’s a constant, evolving commitment.
For any organization, banking or otherwise, this means:
-
Understanding your tolerance to third-party risk
-
Prioritizing cybersecurity in supplier onboarding
-
Treating cybersecurity as a core governance issue, not a compliance checkbox
Our Take at ZENDATA Cybersecurity
At ZENDATA Cybersecurity, we help businesses move beyond the illusion of security through paperwork. Our cybersecurity services are designed to align with operational reality, not just policy. We support companies in identifying critical third-party risks, implementing proportionate controls, and building resilience into their supply chains.
Discover how our cybersecurity services can protect your supply chain from hidden threats.
Read the full article in Le Temps here.
