Crises follow one another at Credit Suisse.
While the second-largest Swiss bank is currently fighting for survival after numerous scandals in its investment-banking division, it now must deal with another matter that could endanger some of its employees.
A former employee is in possession of personal information about other employees of the firm and even those who have left, according to emails Credit Suisse sent to employees on Feb. 13.
The rogue employee had legitimate access to this data when the staffer worked at the bank. The employee copied them and transferred the data to a personal hard drive in violation of Credit Suisse policy. The employee is no longer working for the firm.
The stolen information concerns employment information such as employee ID, gender, address, civil status or date of birth, employment information such as Social Security ID, and contact information,
Credit Suisse Waited 2 Years Before Informing Employees
The employee also took data about older compensation information (salary and variable compensation) for the period of 2013-2015.
The rogue employee used a Gmail address to copy the information.
Some affected Credit Suisse employees in New York told TheStreet that they received an email on Feb. 13 informing them that their data had been stolen. The emails that TheStreet reviewed are almost identical. The title is "Important Information regarding your personal data."
"We are writing to let you know about an incident that we recently understood concerns your personal information held by Credit Suisse," wrote Nita Patel, chief compliance officer at Credit Suisse, and James Keenan, group data protection officer, in one of the emails sent to employees on Feb. 13.
"While we have not identified evidence showing that your data has been subject to misuse, we wanted to share details and offer support as a result."
"From Credit Suisse’s perspective there is no further action required by you at this time."
They then explained what happened: "An individual employee, who has since left the firm and had legitimate access to your personal data at the time for their daily work, inappropriately copied this information without Credit Suisse’s authorization onto their personal device."
Patel and Keenan said that "once this incident was discovered, we immediately took actions to contain and protect your data. We have not identified evidence showing that your data has been subject to misuse."
The incident was first discovered by the bank in March 2021 amid Covid-19 lockdowns, a source told TheStreet.
The bank immediately alerted regulators to the incident. It then initiated an investigation to determine the identity of the employee and their location followed by attempts to recover the data by turning to the courts, the source said.
It wasn't until late last December that the firm had a clear and comprehensive picture of what happened, the source said.
"Credit Suisse has recently addressed a data security incident that involved information relating to a number of Credit Suisse personnel," the bank said in an emailed statement.
"This data was moved some years ago by a former employee, with legitimate systems access, to their personal device - in breach of Credit Suisse policies and procedures.
"Having investigated it thoroughly, we have taken and are continuing to take steps -- including legal remedies -- to adequately contain the incident. To date, there is no evidence of any onward transmission or intent to use the data in any way.”
The firm is seeking enforcement action against the individual.
Credit Suisse (CS) did not identify the rogue employee.
'It Bothered Me That It Took Awhile to Let Me Know'
Credit Suisse employees, who spoke to TheStreet on condition of anonymity, say they are disappointed that the bank took so long to notify them.
"It bothered me it took a while to let me know," one employee said. They added that "the leaked information is sensitive but does not really compromise me" because "I am in general very alert when it comes to these things. I get phishing emails all the time."
This new scandal comes when the morale of Credit Suisse employees is at a nadir.
Last year, the bank recorded a net loss of 7.3 billion francs ($8 billion). This is its worst result since 2008.
The assets managed by the bank amounted to 1.294 trillion Swiss francs ($1.41 trillion) in 2022, against 1.614 trillion Swiss francs ($1.76 trillion) the previous year. Clients are leaving the bank, taking their funds with them. And for employees, the numbers hurt their bonuses.
"As a bank, we want to reward our people fairly for their contribution, but we must also recognize the impact of the financial headwinds we faced last year," Chief Executive Ulrich Korner told employees in an email on Feb. 10.
"Moving forward, we will further align the incentives of our employees to the delivery of our transformational strategy, emphasizing the importance of differentiation and a true 'pay for performance' model.
The investment bank's mistakes have plunged Credit Suisse into numerous successive scandals in recent years. Two of them occurred almost one after the other in 2021, and caused losses of several billion dollars for the bank. The first was the bankruptcy of British company Greensill and the second was the failure of family office Archegos Capital Management.
The bank presented a new recovery plan last fall in an attempt to avoid bankruptcy. Credit Suisse wants to cut 9,000 jobs by 2025. Overall, the firm wants to reduce its cost base by 14.5 billion Swiss francs in three years.
It is also breaking up the investment bank into three parts and selling a "significant portion" of its securitized products group business.
Credit Suisse's revamp is considered an emergency plan to clear up uncertainty about its future.