(Based on information published in De Tijd, 22–23 May 2025)

In May 2025, KBC Securities Services — a subsidiary of the Belgian financial group KBC — confirmed a major data incident involving approximately 5,000 clients. Due to a human error at an external service provider, clients received documents intended for other individuals. These included portfolio positions, internal service rates, and other sensitive financial information.

This was not a breach caused by malware or a cyberattack. It was a supply chain failure, and a deeply human one — with trust, confidentiality, and reputational risk on the line.

Some affected clients could easily identify other investors based on the leaked data. One customer even noted that he recognised a peer as a shareholder of a well-known company and that the portfolio in question was “not small.”

KBC apologised and immediately launched an internal investigation. As of now, no compensation has been announced, and the name of the external service provider involved has not been disclosed publicly.

A Familiar Pattern: Data Exposure Without Hacking

KBC Securities Services provides custody and securities-related services to asset managers, private banks, institutional investors, and family offices. During the annual dispatch of fee statements, a misconfiguration or mislabeling of client records by a third-party vendor caused documents to be sent to unintended recipients.

According to De Tijd, this means:

• Specific clients gained insight into competitors’ portfolios

• Some documents contained commercially sensitive data

• The incident impacted a “limited number of clients” — but 5,000 in total were affected

The Hidden Risk: Third-Party Supplier Security

This case highlights a well-known yet still underappreciated reality: most modern breaches don’t stem from firewall breaches but from weak processes and poor supplier governance.

Two European regulations put this into sharp focus:

NIS2 (for essential & important entities):

• Requires organisations to identify and manage supply chain cyber risks

• Demands oversight of ICT service providers, especially in critical services

• Emphasises incident reporting, including for vendor-related events

DORA (for financial entities):

• Imposes strict rules on third-party ICT risk management

• Classifies vendors as “critical” or “non-critical” with different oversight duties

• Requires notification of major ICT incidents within 4 hours

• Mandates exit strategies, audit rights, and resilience testing

In this case:

• A third-party contractor linked documents to the wrong recipients

• KBC was still held accountable, despite the error occurring externally

• Regulators may investigate under GDPR, NIS2, and DORA

What the Law Requires — and Reality Often Ignores

It’s not enough to sign contracts or fill in due diligence checklists. Under modern EU legislation, organisations are expected to:

• Understand how data flows across their extended digital supply chain

• Proactively govern, monitor, and audit key ICT suppliers

• Include data protection and breach clauses in vendor agreements

• Run simulations and tabletop exercises that include vendor-related failures

KBC is now facing the real-world consequence of what happens when this isn’t watertight — even if the organisation’s internal systems remained uncompromised.

Leadership Actions to Take Now

This incident can — and should — be seen as a learning opportunity for every European organisation that handles sensitive data or outsources digital services.

Here’s what leaders should focus on:

1. Map Your Supplier Ecosystem

   Identify all ICT, SaaS, and data-related service providers — not just Tier 1.

2. Conduct Real Due Diligence

   Ask for evidence of security practices, audits, breach logs, and recovery processes.

3. Strengthen Contracts

   Add clauses for breach reporting, data segregation, audit rights, and minimum standards.

4. Include Vendors in Incident Response Exercises

   Don’t stop at phishing drills — simulate a vendor error with client impact.

5. Link This to Board-Level Risk

   Supplier risk is now board-level accountability under both NIS2 and DORA.

Final Thought: The Next Mistake May Be Invisible Until It’s Too Late

KBC’s fast response and transparency are commendable. But even with compliance training, automated checks, and layered controls, one human error at one vendor triggered a regulatory, reputational, and operational crisis.

This wasn’t about firewalls. It was about governance.

The lesson?

Third-party security is not a back-office issue. It is a core part of your business resilience.

What You Can Do Next

Based on recent assessments, most European organizations still lack sufficient visibility and control over their ICT service providers.

To help you get started, we’ve developed a concise Third-Party Security Maturity Checklist to assess your readiness for NIS2 and DORA.

✅ Want to benchmark your practices?
✅ Need support with vendor governance or contract clauses?
✅ Curious about real-world resilience planning?

👉 Call us or reach out via WhatsApp: +32495814741

About the Author
I’m Jetro WILS. I help mid-sized organisations and critical sectors build real cyber resilience — not just checkboxes — by aligning security governance with NIS2, DORA, and modern cloud environments.

As a Chief Information Security Officer, I Strengthen Cybersecurity Management, Compliance, and Resilience for European Organizations.

Disclaimer

This article is based on publicly available information from De Tijd (22–23 May 2025) and does not represent an official investigation or legal conclusion.

Sources:

• https://www.tijd.be/ondernemen/banken/kbc-riskeert-stevige-reputatieschade-na-datalek/10608733.html

• https://www.tijd.be/ondernemen/banken/data-van-duizenden-klanten-gelekt-bij-effectendochter-kbc-bank/10608636.html