On January 20, the data protection officer for Credit Suisse AG filed a breach notification with the Maine Attorney General’s Office. According to their notice, a breach occurred on or about January 1, 2016. The exact date was unknown, and the breach reportedly wasn’t discovered until December 21, 2022.
The summary description of the incident made it clear, however, that they considered this an insider-wrongdoing incident:
Former terminated IT employee with authorized access to the data while employed with Credit Suisse was able to access and wrongly move the data outside of Credit Suisse’s systems.
The types of information acquired by the employee included individuals’ name or other personal identifier in combination with: “Financial Account Number or Credit/Debit Card Number (in combination with security code, access code, password or PIN for the account)”
The incident reportedly affected a total of 9 people, including 9 Maine residents.
Since written notice has not been provided yet, some of the details usually provided in notification letters are not yet available, but given the date of the breach, DataBreaches immediately wondered if this could be the same employee involved in a significant data leak disclosed in early 2022. Long-time readers of DataBreaches will recall that there have been a number of reports or incidents over more than a decade involving employees leaking data or misusing data, but the 2022 incident reported by the BBC allegedly involved an employee who provided documents to a German newspaper.
DataBreaches contacted Credit Suisse to ask whether this was the same employee and whether the former employee had managed to move the data while still employed or if they had been able to exfiltrate data after their employment terminated.
Although Credit Suisse declined to comment on the incident or this site’s queries, a person with knowledge of the incident stated that yes, this was the same former employee who had released documents to the media in 2022 (but see CORRECTION, below). They also stated that the former employee had been able to move the data while they were still employed. They would not provide any further details.
Coverage of some previous incidents involving Credit Suisse employees can be found linked from:
- Credit Suisse on the defensive after dirty money data leak
- How Germany’s taxman used stolen data to squeeze Switzerland
- Ex-Credit Suisse worker guilty of data theft
- Swiss Data Affair Could Pay Off Handsomely for Germany
- SEC Charges Credit Suisse Investment Banker with Insider Trading
CORRECTION: This post previously reported that the employee was the same employee who leaked the massive data to the media in 2022. DataBreaches has since been informed that the Maine filing had nothing to do with the 2022 media leaks story reported by the BBC and other news outlets at the time. The Maine filing does not relate to client data, only to employee data, it seems. “There was some media pick-up on this matter last year, but it is nothing to do with “Suisse Leaks”, which did relate to client data,” DataBreaches has been told.
So it was the same employee involved in a previously reported leak but not the massive client data leak of 2022. DataBreaches apologizes for the error.