UBS Data Leak via Chain IQ: Third Party Risk & Supply Chain Security Lessons

Data leak at UBS service provider Chain IQ reveals serious weaknesses in supply chain security

Last week, it became known that the major Swiss bank UBS was the indirect victim of a cyberattack – the strategic service provider Chain IQ, an international provider of procurement management, was affected. According to media reports, the attack compromised the personal data of over 130,000 UBS employees as well as confidential accounting data from Pictet Bank (Le Temps,SRF, Handelszeitung).

The fact that a company specializing in outsourcing itself becomes a target underlines an unpleasant truth: supply chains have long since become a systemically relevant target – especially in highly regulated sectors such as financial services.

Supply Chain Attacks: From SolarWinds to Chain IQ

Such incidents are reminiscent of the infamous SolarWinds attack, which used an infected software component to gain access to tens of thousands of organizations worldwide, including U.S. government agencies and technology companies like Microsoft and Cisco (NPR, NCSC UK, PSU Library). The pattern is clear: cybercriminals use systemically relevant service providers to gain access to a much larger ecosystem.

Chain IQ acts as such a hub. The fact that hackers specifically target such service providers is strategically motivated: The multiplier effect of a successful attack is considerable.

Associated risks: International data flows and access by third countries

In our last article, we already referred to critical risks in the context of Third Country Intercept context: Even legally permissible data flows can lead to massive security incidents when combined with weak protective measures.

Current events clearly show that technical and contractual protective measures alone are not enough. A holistic security strategy across all third-party relationships is required.

Pragmatica TPSRM: Protection that goes beyond company boundaries

Pragmatica AG has been helping organizations protect their information assets for over 25 years – both internally and externally. With our Third Party Security Risk Management (TPSRM) service, we specifically address the challenges of growing dependencies in the context of outsourcing, cloud and partner ecosystems.

Our range of services in the area of information security and cyber security specifically addresses the challenges of sourcing, partnerships and outsourced services. Together with our clients, we develop security strategies that have an impact beyond their own company – regulatory sound, technically coordinated and operationally feasible.

In conjunction with our Risk, Compliance & Privacy Service we create integrated solutions that holistically cover technological, legal and organizational aspects.

Our service includes:

- Systematic discovery and GAP analyses
- Comparison with reference models (e.g. ISO/IEC 27036, NIST)
- Prioritized roadmap with concrete measures
- Implementation support and stakeholder management
- Interlocking with cloud security, data governance, BCM & incident response

Our approach ismodular, tried-and-tested and scalable across all sectors – we combine technical excellence with regulatory understanding and a clear focus on implementation.

Conclusion: the security strategy does not end at the company's borders

Chain IQ is a prominent example – but by no means an isolated case. The supply chain is one of the most dangerous areas of attack today. Companies must understand and actively manage third-party risks as an integral part of their security architecture.

Let’s strengthen your resilience together with a TPSRM approach that works.

Do you have any questions?
We would be happy to accompany you and your company on the path to security!