Case Study: KBC’s Data Leak and the Unseen Threat in European Supply Chains
How a human error at a third-party vendor exposed 5,000 customers — and why it’s a wake-up call for every European organisation.
(Based on information published in De Tijd, 22–23 May 2025)
In May 2025, KBC Securities Services — a subsidiary of the Belgian financial group KBC — confirmed a major data incident involving approximately 5,000 clients. Due to a human error at an external service provider, clients received documents intended for other individuals. These included portfolio positions, internal service rates, and other sensitive financial information.
This was not a breach caused by malware or a cyberattack. It was a supply chain failure, and a deeply human one — with trust, confidentiality, and reputational risk on the line.
Some affected clients could easily identify other investors based on the leaked data. One customer even noted that he recognised a peer as a shareholder of a well-known company and that the portfolio in question was “not small.”
KBC apologised and immediately launched an internal investigation. As of now, no compensation has been announced, and the name of the external service provider involved has not been disclosed publicly.
A Familiar Pattern: Data Exposure Without Hacking
KBC Securities Services provides custody and securities-related services to asset managers, private banks, institutional investors, and family offices. During the annual dispatch of fee statements, a misconfiguration or mislabeling of client records by a third-party vendor caused documents to be sent to unintended recipients.
According to De Tijd, this means:
Specific clients gained insight into competitors’ portfolios
Some documents contained commercially sensitive data
The incident impacted a “limited number of clients” — but 5,000 in total were affected
The Hidden Risk: Third-Party Supplier Security
This case highlights a well-known yet still underappreciated reality: most modern breaches don’t stem from firewall breaches but from weak processes and poor supplier governance.
Two European regulations put this into sharp focus:
NIS2 (for essential & important entities):
Requires organisations to identify and manage supply chain cyber risks
Demands oversight of ICT service providers, especially in critical services
Emphasises incident reporting, including for vendor-related events
DORA (for financial entities):
Imposes strict rules on third-party ICT risk management
Classifies vendors as “critical” or “non-critical” with different oversight duties
Requires notification of major ICT incidents within 4 hours
Mandates exit strategies, audit rights, and resilience testing
In this case:
A third-party contractor linked documents to the wrong recipients
KBC was still held accountable, despite the error occurring externally
Regulators may investigate under GDPR, NIS2, and DORA
What the Law Requires — and Reality Often Ignores
It’s not enough to sign contracts or fill in due diligence checklists. Under modern EU legislation, organisations are expected to:
Understand how data flows across their extended digital supply chain
Proactively govern, monitor, and audit key ICT suppliers
Include data protection and breach clauses in vendor agreements
Run simulations and tabletop exercises that include vendor-related failures
KBC is now facing the real-world consequence of what happens when this isn’t watertight — even if the organisation’s internal systems remained uncompromised.
Leadership Actions to Take Now
This incident can — and should — be seen as a learning opportunity for every European organisation that handles sensitive data or outsources digital services.
Here’s what leaders should focus on:
Map Your Supplier Ecosystem
Identify all ICT, SaaS, and data-related service providers — not just Tier 1.
Conduct Real Due Diligence
Ask for evidence of security practices, audits, breach logs, and recovery processes.
Strengthen Contracts
Add clauses for breach reporting, data segregation, audit rights, and minimum standards.
Include Vendors in Incident Response Exercises
Don’t stop at phishing drills — simulate a vendor error with client impact.
Link This to Board-Level Risk
Supplier risk is now board-level accountability under both NIS2 and DORA.
Final Thought: The Next Mistake May Be Invisible Until It’s Too Late
KBC’s fast response and transparency are commendable. But even with compliance training, automated checks, and layered controls, one human error at one vendor triggered a regulatory, reputational, and operational crisis.
This wasn’t about firewalls. It was about governance.
The lesson?
Third-party security is not a back-office issue. It is a core part of your business resilience.
What You Can Do Next
Based on recent assessments, most European organizations still lack sufficient visibility and control over their ICT service providers.
To help you get started, we’ve developed a concise Third-Party Security Maturity Checklist to assess your readiness for NIS2 and DORA.
✅ Want to benchmark your practices?
✅ Need support with vendor governance or contract clauses?
✅ Curious about real-world resilience planning?
👉 Call us or reach out via WhatsApp: +32495814741
About the Author
I’m Jetro WILS. I help mid-sized organisations and critical sectors build real cyber resilience — not just checkboxes — by aligning security governance with NIS2, DORA, and modern cloud environments.
As a Chief Information Security Officer, I Strengthen Cybersecurity Management, Compliance, and Resilience for European Organizations.
Disclaimer
This article is based on publicly available information from De Tijd (22–23 May 2025) and does not represent an official investigation or legal conclusion.
Sources: