Cyber Incident Victim: Swiss Life
Date:
Feb 2025
Location:
Switzerland
Summary
A cyberattack targeting an external SMS provider used by Swiss Life for two-factor authentication compromised mobile phone numbers and potentially last names of registered users, impacting approximately 60 Swiss pension funds and 13,000 beneficiaries. The breach occurred during a limited timeframe, with no evidence of unauthorized account access or compromise of sensitive data such as addresses, salary details, or pension information. The incident was reported to Swiss federal cybersecurity and data protection authorities, and the provider implemented proactive monitoring to detect further unauthorized activity. Affected customers were advised to remain vigilant against suspicious SMS messages but were assured their existing login credentials remained secure for portal access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Swiss Life cybersecurity incident stemmed from a breach at an external SMS authentication provider utilized by Swiss Life Pension Services (SLPS) for two-factor verification in its client portal. Between February 15 and 21, 2025, unauthorized actors accessed systems of this third-party provider, compromising mobile phone numbers and potentially surnames of registered users. The breach specifically affected individuals who had opted for SMS-based authentication codes or document notifications through SLPS's occupational pension solution portal. Swiss Life confirmed the incident impacted approximately 60 Swiss pension funds covering roughly 13,000 beneficiaries ("Destinatäre"), though the company asserted no exposure of sensitive personal data such as residential addresses, salary information, or pension details. Following the provider's internal investigation to determine affected parties and Swiss Life's own verification process, impacted customers received physical mail notifications on March 21, 2025—nearly one month after the intrusion window closed.
Swiss Life's external provider detected the breach and subsequently implemented proactive monitoring of potential unauthorized account access, with no evidence of compromised user accounts identified at the time of notification. The SMS provider reported the incident to Switzerland's Federal Office for Cybersecurity (BACS), while Swiss Life separately notified the Federal Data Protection and Information Commissioner (FDPIC). Affected customers were advised to maintain existing login credentials but exercise heightened vigilance regarding unsolicited SMS messages containing links or attachments. The company emphasized continued protection of portal data against unauthorized access but did not implement mandatory password resets or additional authentication measures. Swiss Life publicly acknowledged regretting the incident and stated implementation of measures to prevent future occurrences, though specific technical or procedural changes were not disclosed in the notification.