{"id":3639,"date":"2025-06-19T22:49:39","date_gmt":"2025-06-19T22:49:39","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3639"},"modified":"2025-06-19T22:49:39","modified_gmt":"2025-06-19T22:49:39","slug":"chain-iq-data-theft-highlights-need-to-oversee-third-party-suppliers","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3639","title":{"rendered":"Chain IQ data theft highlights need to oversee third party suppliers"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Cybersecurity experts are mulling over the meaning of Swiss supply chain management provider Chain IQ\u2019s explanation of a data breach that reportedly includes information copied from two banks.<\/p>\n<p>In a news release Thursday, Chain IQ said the unnamed attacker, attributed in some news reports to a ransomware gang, used \u201ctools and techniques that had never before been seen on a global scale\u201d to breach security controls at it and 19 other organizations.<\/p>\n<p>The company provides procurement and supply chain management for customers including international banks.<\/p>\n<p>Chain IQ doesn\u2019t have any data relating to its customers\u2019 core business, including HR or IT information, <a href=\"https:\/\/chainiq.com\/news\/cyber-attack-chain-iq-group-ag\/\" target=\"_blank\" rel=\"noopener\">it stressed<\/a>, so no bank customer data was stolen in this attack.\u00a0However, it added, data containing employee business contact details of selected clients were exfiltrated. This data contains the internal telephone numbers of client employees.<\/p>\n<p><a href=\"https:\/\/www.bluewin.ch\/en\/news\/switzerland\/hackers-publish-ermottis-phone-number-on-the-darknet-2745450.html\" target=\"_blank\" rel=\"noopener\">According to the Swiss news site Blue News<\/a>, that included the internal phone numbers of Swiss-based bank UBS.<\/p>\n<p><em>CSO<\/em> attempted to contact Chain IQ and UBS for comment, but was unable to reach a spokesperson for either by publication time.<\/p>\n<h2 class=\"wp-block-heading\">Yet another supply chain attack<\/h2>\n<p>What should be of note to CSOs is that this is another example of an <a href=\"https:\/\/www.csoonline.com\/article\/561323\/supply-chain-attacks-show-why-you-should-be-wary-of-third-party-providers.html\">attack on a third party supplier<\/a> that impacts its customers.<\/p>\n<p>\u201cChain IQ\u2019s breach serves as yet another reminder that \u2018trust, but verify\u2019 [your partner\u2019s security] is not just a saying, it should be embedded into every enterprise\u2019s third-party governance model,\u201d said Ensar Seker, CISO at SOCRadar.<\/p>\n<p>The incident underscores the persistent and growing <a href=\"https:\/\/www.csoonline.com\/article\/4002765\/third-party-risk-management-is-broken-but-not-beyond-repair.html\">risk of third-party exposure<\/a> in today\u2019s interconnected enterprise ecosystem, he said in an email.<\/p>\n<p>\u201cWhen suppliers hold sensitive operational or financial data, even in the absence of client personally identifiable information, they become a highly attractive target for threat actors seeking leverage, intelligence, or access pathways into high-value organizations,\u201d he said. \u201cWhat\u2019s notable here is that the breach impacted major financial and consulting institutions, which typically maintain rigorous internal security controls. This demonstrates that the weakest link often lies outside the perimeter.\u201d<\/p>\n<p>Leaks involving executive or employee-level data, especially those of high-profile individuals like UBS\u2019s CEO, increase the likelihood of targeted phishing, social engineering, or even impersonation attempts, he pointed out. Even if no client data is compromised, stolen operational metadata like invoice histories, consultant relationships, or IT supplier engagements can provide adversaries with useful insights for crafting sophisticated campaigns.<\/p>\n<p>\u201cThis is a classic case where traditional third-party risk management needs to mature into continuous fourth-party visibility and active vendor monitoring,\u201d Seker added. \u201cOrganizations must go beyond one-time assessments and require vendors to maintain threat detection telemetry, incident reporting SLAs, and breach simulation exercises. Additionally, platforms that provide real-time breach alerts on vendors, such as DRP and supply chain intelligence solutions, are no longer optional, but essential to reduce response lag.\u201d<\/p>\n<p>The gang reportedly taking credit for these particular attacks is called Worldleaks. Tim Rawlins, senior adviser and director for security\u00a0at NCC Group, said it appears to be\u00a0a rebrand of Hunters International, which in turn came out of the group called Hive. It appears to be shifting to data theft, he said.<\/p>\n<p>\u201cThis movement of threat actors to new groups, new names, and new methods of criminal activities and extortion is not unusual. We regularly see groups morph, either due to law enforcement activities or personal conflicts between members. Hive was disrupted by a German and US investigation and multiple law enforcement agencies\u2019 activities. Hunters International changed tactics from a ransomware as a service gang to extortion based on the theft of corporate data,\u201d he observed.\u00a0<\/p>\n<p>There are benefits to criminals in making this switch. \u201cThe theft of corporate data, which can cover anything from M&amp;A information, financial records and HR\/staff records to detailed client information can take place very quickly and doesn\u2019t necessarily require long term access nor the ability to escalate the attacker\u2019s privileges to an administrator level as is common with ransomware,\u201d Rawlins pointed out. \u201cEven a low level user in a sensitive job is likely to have access to some information that the organization would rather not see exposed or for put up sale to other criminals for fraudulent purposes.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Trust isn\u2019t enough<\/h2>\n<p>James McQuiggan, security awareness advocate at\u00a0KnowBe4, said that trust alone isn\u2019t enough when it comes to third-party risk and cybersecurity. Organizations need to manage third-party risk actively. \u201cDon\u2019t rely on a one-time assessment or questionnaire,\u201d he said. \u201cIt\u2019s crucial to consider regularly reviewing vendors\u2019 protection of their data and systems. Keep checking in, especially with vendors that handle sensitive information. When a vendor is compromised, a quick response can be significant.\u201d\u00a0<\/p>\n<p>Organizations should have a well-documented and repeatable plan for handling a third-party incident or breach, he added. \u201cConsider how to isolate the issue, who to contact, and how to communicate with employees and partners. Rate your vendors based on risk levels: one that has strong security programs versus one that does not. Higher risk vendors require additional oversight and tighter security controls.\u201d<\/p>\n<p>More on third-party risk:<\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3509184\/third-party-risk-management-can-learn-a-lot-from-the-musk-ox.html\">Third-party risk management can learn a lot from the musk ox<\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/1305977\/6-best-practices-for-third-party-risk-management.html\">6 best practices for third-party risk management<\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/575575\/why-assessing-third-parties-for-security-risk-is-still-an-unsolved-problem.html\">Why assessing third parties for security risk is still an unsolved problem<br \/><\/a><\/p>\n<p>&gt;<\/p><\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Cybersecurity experts are mulling over the meaning of Swiss supply chain management provider Chain IQ\u2019s explanation of a data breach that reportedly includes information copied from two banks. In a news release Thursday, Chain IQ said the unnamed attacker, attributed in some news reports to a ransomware gang, used \u201ctools and techniques that had never [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3624,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3639","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3639"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3639"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3639\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3624"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3639"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3639"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3639"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}