A supply chain attack on service provider Chain IQ has seen a number of Swiss banks also affected.

According to Reuters, UBS and Pictet said on Wednesday they had suffered a data leak due to a cyber attack on a provider in Switzerland that did not compromise client information.

"A cyber attack at an external supplier has led to information about UBS and several other companies being stolen. No client data has been affected," UBS said. "As soon as UBS became aware of the incident, it took swift and decisive action to avoid any impact on its operations."

Global Scale

In a statement, Chain IQ said it was one of 20 companies to be targeted by “a cyber-attack that had never before been seen on a global scale” which resulted in theft of data from some customers, with details published on the dark web.

“Immediately after the data was published on Thursday, June 12, 2025, at 5:15pm CET, all relevant systems were checked, secured, and protective measures were strengthened,” it said. “Law enforcement authorities were immediately involved. The incident was contained after eight hours and 45 minutes by revoking the attackers’ access to the affected environment.

The company confirmed that data containing employee business contact details of selected clients was exfiltrated “in connection with the cyber-attack on Chain IQ, this data contains the internal telephone numbers of client employees.” 

Long-Lasting Impact

Dr. Ilia Kolochenko, CEO at ImmuniWeb and a Fellow at the British Computer Society (BCS), said: “Based on the publicly available data, this data breach may have a disastrous and long-lasting impact on the Swiss banking industry – given that UBS is the largest financial institution of the country.

"An urgent investigation is required in collaboration with both law enforcement and private sector to establish the precise timeline, scope and thus the foreseeable consequences of the data breach. UBS should likewise urgently consider taking some preliminary measures, for example, by notifying the impacted employees and customers about the possible risks, to prevent damage.

"From the technical viewpoint, this incident is a grim reminder that third parties are the Achilles’ Heel even of the largest financial institutions. From the legal viewpoint, the question of liability is complex, however, it is perfectly possible that the bank may eventually be liable to the victims for the damage suffered as a result of the attack.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.