What happened?
In November 2025, Habib Bank AG Zurich, a Switzerland-based private bank with Pakistani roots, fell victim to a devastating ransomware attack by the hacker group Qilin (also known as Agenda). The attackers penetrated the bank’s IT systems and exfiltrated approximately 2.5 terabytes of highly sensitive data before issuing a ransom demand.
Qilin is among the most technically sophisticated ransomware groups and operates a Ransomware-as-a-Service (RaaS) model. The group has been active since 2022, specialising in attacks against organisations with particularly sensitive data — financial institutions, healthcare facilities and government agencies.
The attack is especially explosive because the exfiltrated data was published on Qilin’s darknet leak site after the payment deadline expired. This included:
- Account data and transaction histories of bank clients
- Passport numbers and ID copies (KYC documents)
- Internal source code of banking applications
- Confidential business correspondence and compliance documents
- Employee data including personnel files
This represents one of the most severe data protection incidents in the Swiss financial sector in recent years.
Who was affected?
Habib Bank AG Zurich is a FINMA-regulated private bank with approximately 8,000 employees worldwide. It primarily serves high-net-worth private clients and business customers with ties to South Asia and the Middle East.
- Bank clients worldwide: Account data, transaction histories and identity documents compromised, exposing clients to heightened risk of identity theft and fraud
- Employees: Personnel files with sensitive personal information were part of the exfiltrated data
- The Swiss financial centre: The incident raises fundamental questions about cyber security at Swiss banks
- Regulators: FINMA and the FDPIC must review the incident and consider regulatory consequences
- Business partners and correspondent banks: Confidential inter-bank communications and compliance information could burden the bank’s business relationships
The publication of KYC documents is especially critical: passport copies and identity documents on the darknet enable large-scale identity theft that can be exploited years after the incident.
How large was the damage?
| Damage category | Estimated cost |
|---|---|
| Incident response and forensics | CHF 2–5m |
| System restoration and security audit | CHF 3–8m |
| Regulatory requirements and FINMA measures | CHF 5–15m |
| Legal advice and liability claims | CHF 5–10m |
| Client notification and monitoring | CHF 2–5m |
| Crisis communication and reputation management | CHF 1–3m |
| Client asset outflows (AuM) | CHF 50–200m |
| Reputational damage (long-term) | Difficult to quantify |
| Estimated total direct damage | CHF 18–46m |
The largest damage will likely come from loss of trust. For a private bank whose business model is built on discretion and trustworthiness, the publication of client data on the darknet is existentially threatening.
Insurance coverage analysis
| Cost item | Estimated cost | Covered by cyber insurance? |
|---|---|---|
| Incident Response & Forensics | CHF 2–5m | Yes – core service |
| System restoration & security audit | CHF 3–8m | Yes – typically covered |
| Regulatory requirements & FINMA measures | CHF 5–15m | Partially – fines often excluded |
| Legal advice & liability claims | CHF 5–10m | Yes – liability component |
| Client notification & monitoring | CHF 2–5m | Yes – regulatory obligation |
| Crisis communication & PR | CHF 1–3m | Yes – frequently included |
| Client asset outflows | CHF 50–200m | No – indirect consequential damage |
| Source code compromise (redevelopment) | CHF 5–15m | Partially – depends on policy |
| Reputational damage | Difficult to quantify | No – not insurable |
| Estimated total damage | CHF 70–260m | ~20–35% potentially covered |
For financial institutions, cyber insurance is an important but by no means sufficient safeguard. The largest damages — loss of trust, client outflows and regulatory consequences — are not or only very limitedly insurable. Banks must therefore invest in first-class prevention.
Lessons for Swiss SMEs
-
Highly sensitive data requires highest protection: Companies processing identity documents, financial data or health data are particularly attractive targets.
-
2.5 TB exfiltration should have been detected: A data outflow of this magnitude points to serious gaps in Data Loss Prevention (DLP). SMEs should implement at least basic monitoring solutions.
-
KYC documents are gold dust for criminals: Passport copies on the darknet enable years of identity abuse. Companies should store KYC data encrypted with strictly regulated access.
-
Source code does not belong in the regular network: Code repositories should be operated in isolated, specially protected environments.
-
Regulatory consequences are severe: FINMA can impose significant measures for breach of duty of care. SMEs in regulated sectors must demonstrably maintain their cyber security.
-
Cyber insurance protects the balance sheet, not the reputation: A policy absorbs direct costs but cannot compensate for the loss of client trust. Prevention remains the most important investment.
Get a free consultation. The experts at BTAG Versicherungsbroker AG in Bern analyse your individual risk profile and find the right cyber insurance for your company — independent and transparent.