(Bloomberg) — Last month, a fake email purporting to be from Credit Suisse Group AG Chief Executive Officer Thomas Gottstein that contained personal data about former employees was sent to law enforcement officials, regulators and the press in multiple countries.
Two weeks later, the Zurich-based lender has filed a lawsuit in the U.S. seeking to unmask the source of the message — which it suspects may have been an inside job.
Using a fake Gmail account bearing Gottstein’s name, the March 20 message attached proprietary files in an “apparent effort to inflict the maximum damage possible to Credit Suisse,” according to the complaint filed in San Francisco federal court.
Ex-Credit Suisse employees’ addresses, telephone numbers, dates of birth, social security numbers, bank account details, gender and marital status were disclosed, according to the court filing.
The incident comes as Credit Suisse is managing the aftermath of the Archegos Capital Management blowup, in which it took a $4.7 billion hit, the biggest so far among the investment banks that extended credit to trader Bill Hwang. Gottstein, who took over in February last year after a spying scandal toppled his predecessor, has said that “serious lessons will be learned” from the scandal.
The mystery authors of the March 20 email said they have hundreds of thousands of additional, similar records about Credit Suisse employees and “other stakeholders,” and threatened to disclose them, according to the suit.
The email accomplished what it claimed it was disclosing: an alleged data breach at Credit Suisse. It asked recipients to “take action against the bank” unless Credit Suisse takes “swift and immediate action,” according to the Thursday complaint.
The bank denies that it failed to protect personal data. Credit Suisse said in the suit that it follows “robust policies and procedures” to maintain its systems and databases and that the email’s contents reveal the defendants at some point gained access to detailed internal information, including its contractual relationships and ongoing business relationships.
Credit Suisse said the culprits “may be one or more former employees but there is not yet sufficient information to conclusively link the Email to any specific individual or group of individuals.”
The lawsuit was reported earlier by Reuters.
The case is Credit Suisse Securities v. Does, 21-cv-02568, U.S. District Court, Northern District of California (San Francisco)