Cybersecurity experts are mulling over the meaning of Swiss supply chain management provider Chain IQ’s explanation of a data breach that reportedly includes information copied from two banks.
In a news release Thursday, Chain IQ said the unnamed attacker, attributed in some news reports to a ransomware gang, used “tools and techniques that had never before been seen on a global scale” to breach security controls at it and 19 other organizations.
The company provides procurement and supply chain management for customers including international banks.
Chain IQ doesn’t have any data relating to its customers’ core business, including HR or IT information, it stressed, so no bank customer data was stolen in this attack. However, it added, data containing employee business contact details of selected clients were exfiltrated. This data contains the internal telephone numbers of client employees.
According to the Swiss news site Blue News, that included the internal phone numbers of Swiss-based bank UBS.
CSO attempted to contact Chain IQ and UBS for comment, but was unable to reach a spokesperson for either by publication time.
Yet another supply chain attack
What should be of note to CSOs is that this is another example of an attack on a third party supplier that impacts its customers.
“Chain IQ’s breach serves as yet another reminder that ‘trust, but verify’ [your partner’s security] is not just a saying, it should be embedded into every enterprise’s third-party governance model,” said Ensar Seker, CISO at SOCRadar.
The incident underscores the persistent and growing risk of third-party exposure in today’s interconnected enterprise ecosystem, he said in an email.
“When suppliers hold sensitive operational or financial data, even in the absence of client personally identifiable information, they become a highly attractive target for threat actors seeking leverage, intelligence, or access pathways into high-value organizations,” he said. “What’s notable here is that the breach impacted major financial and consulting institutions, which typically maintain rigorous internal security controls. This demonstrates that the weakest link often lies outside the perimeter.”
Leaks involving executive or employee-level data, especially those of high-profile individuals like UBS’s CEO, increase the likelihood of targeted phishing, social engineering, or even impersonation attempts, he pointed out. Even if no client data is compromised, stolen operational metadata like invoice histories, consultant relationships, or IT supplier engagements can provide adversaries with useful insights for crafting sophisticated campaigns.
“This is a classic case where traditional third-party risk management needs to mature into continuous fourth-party visibility and active vendor monitoring,” Seker added. “Organizations must go beyond one-time assessments and require vendors to maintain threat detection telemetry, incident reporting SLAs, and breach simulation exercises. Additionally, platforms that provide real-time breach alerts on vendors, such as DRP and supply chain intelligence solutions, are no longer optional, but essential to reduce response lag.”
The gang reportedly taking credit for these particular attacks is called Worldleaks. Tim Rawlins, senior adviser and director for security at NCC Group, said it appears to be a rebrand of Hunters International, which in turn came out of the group called Hive. It appears to be shifting to data theft, he said.
“This movement of threat actors to new groups, new names, and new methods of criminal activities and extortion is not unusual. We regularly see groups morph, either due to law enforcement activities or personal conflicts between members. Hive was disrupted by a German and US investigation and multiple law enforcement agencies’ activities. Hunters International changed tactics from a ransomware as a service gang to extortion based on the theft of corporate data,” he observed.
There are benefits to criminals in making this switch. “The theft of corporate data, which can cover anything from M&A information, financial records and HR/staff records to detailed client information can take place very quickly and doesn’t necessarily require long term access nor the ability to escalate the attacker’s privileges to an administrator level as is common with ransomware,” Rawlins pointed out. “Even a low level user in a sensitive job is likely to have access to some information that the organization would rather not see exposed or for put up sale to other criminals for fraudulent purposes.”
Trust isn’t enough
James McQuiggan, security awareness advocate at KnowBe4, said that trust alone isn’t enough when it comes to third-party risk and cybersecurity. Organizations need to manage third-party risk actively. “Don’t rely on a one-time assessment or questionnaire,” he said. “It’s crucial to consider regularly reviewing vendors’ protection of their data and systems. Keep checking in, especially with vendors that handle sensitive information. When a vendor is compromised, a quick response can be significant.”
Organizations should have a well-documented and repeatable plan for handling a third-party incident or breach, he added. “Consider how to isolate the issue, who to contact, and how to communicate with employees and partners. Rate your vendors based on risk levels: one that has strong security programs versus one that does not. Higher risk vendors require additional oversight and tighter security controls.”