At the end of May 2023, it became known that the Swiss company Xplain, a provider of government software, had been the victim of a ransomware attack. In a ransomware attack, the victim's files are encrypted and so rendered unusable in order to extort a ransom. In this case, a hacker group called Play stole large amounts of data, including Federal Administration operational data generated by the running of the administration’s IT systems.
In consultation with the prosecution authorities and the National Cyber Security Centre (NCSC), Xplain did not pay the ransom demanded by the hackers; the hackers subsequently published the stolen data package on the darknet on 14 June.
After the data leak became known, the NCSC established a response group to deal with the incident in close cooperation with the authorities concerned. Intensive work is currently under way to evaluate and analyse the stolen data. The federal government also initiated measures to minimise the security risk to the Federal Administration.
There are still no indications that federal systems were directly attacked. As operational data was affected, various Federal Administration units have filed criminal charges against persons unknown or are considering taking this step. This is to clarify the circumstances that led to Federal Administration data ending up in Xplain’s IT system.
SEM informs individuals affected by the data leak
Personal data processed by the State Secretariat for Migration (SEM) and the cantonal migration authorities is also affected by the data leak at Xplain. According to the current state of the ongoing analyses, this involves data in connection with SEM's tasks in the areas of entry, residence and the labour market as well as removal measures and measures banning entry.
SEM is in the process of directly notifying individuals whose sensitive personal data has been published in writing. This process is expected to be completed by the end of October.
SEM has reported the incident to the Federal Data Protection and Information Commissioner (FDPIC). The information available about this incident is continuously being updated as more becomes known.
Last modification 11.09.2023