Following the leak of Credit Suisse account data to a German newspaper, we explore what financial institutions can learn from the dangers of insider threats
It was reported last night that Credit Suisse have defended its position, following the leak of data from over 30,000 accounts, holding over $100 billion (£73.6 billion), to German newspaper Süddeutsche Zeitung by a whistleblower.
From here, this data was then shared with the Organised Crime and Corruption Reporting Project and 46 other news organisations, including the New York Times, The Guardian and France’s Le Monde.
The group of outlets, upon investigating the data, which were from accounts held from the 1940s to the 2010s, alleged that Credit Suisse was hosting accounts belonging to human rights abusers and businessmen placed under sanctions.
The investigations conducted by the consortium have been collectively named the ‘Suisse Secrets’.
The exact affiliations of the whistleblower who released the account data, if any, are not yet known, however they told Süddeutsche Zeitung over a year ago: “I believe that Swiss banking secrecy laws are immoral. The pretext of protecting financial privacy is merely a fig leaf covering the shameful role of Swiss banks as collaborators of tax evaders.”
The future of Fintech – where are we heading in 2022?
Credit Suisse’s response
In response to allegations, the second largest bank in Switzerland denied wrongdoing, claiming that the data was “predominantly historical”, and that the findings were taken out of context.
A statement released by the financial institution continued: “Approximately 90% of the reviewed accounts are today closed or were in the process of closure prior to receipt of the press inquiries, of which over 60% were closed before 2015.
“Of the remaining active accounts, we are comfortable that appropriate due diligence, reviews and other control-related steps were taken in line with our current framework.
“We will continue to analyse the matters and take additional steps if necessary.”
Secrecy laws in Switzerland: the state of play
While it’s now common practice for Swiss banks like Credit Suisse to share data with other countries, via an exchange system established in 2018 to tackle tax evasion, many developing nations are currently excluded from this system.
Meanwhile, Article 47 of the 1934 Federal Law on Banks in Switzerland has applied to any third party that “reveals” or “exploits” a secret that has come from within a Swiss bank, since 2015.
According to The Guardian, The UN special rapporteur on the promotion and protection of the right to freedom of opinion and expression, Irene Khan, has stated that this article is being assessed.
“The general principle must be that all organisations should have a duty of care to protect personal data appropriately, and to adhere to local privacy laws where applicable – including GDPR, the UK’s DPA and the Swiss Federal Act on Data Protection in the case of Credit Suisse. All these regulations mandate that adequate security must be in place,” said Peter Galdies, founder and senior consultant at data protection and privacy specialists DQM GRC.
“In this case the question is, how did the individual have such access that they could download and distribute the details of over 30,000 clients? Was the individual in a role where this kind of access was required, or were access controls too loose? It’s impossible for us to comment on the specifics, but what we can say for sure is that all organisations should review their systems and controls to ensure that such large-scale access to sensitive data is suitably controlled and limited to the minimum number of essential personnel.”
Post-Brexit: how has data protection compliance changed?
Staying aware of insider threats
“Staff often bring more risks than any remote attack as they are equipped with the advantage of having overriding powers and insider knowledge, making it impossible to protect from completely.
“Whether a data leak is conscious or not, staff are often overlooked when it comes to the biggest threats in an organisation. Insider threats are sometimes forgotten about after the vetting stage but they usually lead to the most damaging consequences and can leave a more challenging clean-up operation in their wake.”
Information Age analysis
Today’s revelations show a need to stay aware of the dangers of insider threats. While there’s no guarantee yet that the whistleblower in question was an employee of Credit Suisse, financial institutions need to remain vigilant about anyone who gains access to account data.
Sufficient security to deal with possible insider threats calls for a zero trust approach across all endpoints: users need to be authorised before being granted access every time, regardless of the device used. Risk assessments should be constantly carried out, with policies and protocol adjustments being documented, and the behaviour of users need to be monitored for anomalous actions that could lead to data being leaked, such as with the account assets involved in this Credit Suisse case.
The so-called ‘Suisse Secrets’ findings also brings into question a balancing act to be considered, between the need to keep account data secure and a wider public interest when it comes to human rights and breaches of democratic practice, among other controversies. With the UN looking into the aformentioned Article 47 of the 1934 Federal Law on Banks in Switzerland, legislation may be set to shift following this incident. With Swiss watchdogs surveilling the situation, this certainly is a legal situation that looks set to evolve in the coming weeks and months.