Switzerland: Play ransomware leaked 65,000 government documents

The National Cyber Security Centre (NCSC) of Switzerland has released a report on its analysis of a data breach following a ransomware attack on Xplain, disclosing that the incident impacted thousands of sensitive Federal government files.

Xplain is a Swiss technology and software solutions provider for various government departments, administrative units, and even the country's military force. The Play ransomware gang breached the company on May 23, 2023.

At the time, the threat actor claimed to have stolen documents containing confidential information, and in early June 2023, it followed through on its threats and published the stolen data on its darknet portal.

The Swiss government started investigating the leaked files and instantly admitted that the leaked data might contain documents belonging to the Federal Administration of Switzerland.

In a new statement published today, the Swiss government confirmed that 65,000 government documents were leaked in the breach:

• Out of approximately 1.3 million files published by Play ransomware, about 5% (65,000 documents) are relevant to the Federal Administration.
• Most (95%) of those files impact the administrative units of the Federal Department of Justice and Police (FDJP): the Federal Office of Justice, the Federal Office of Police, the State Secretariat for Migration, and the internal IT service center ISC-FDJP.
• The Federal Department of Defence, Civil Protection and Sport (DDPS) were minorly affected, accounting for just over 3% of that data.
• Around 5,000 documents contained sensitive information, including personal data (names, email addresses, telephone numbers, and addresses), technical details, classified information, and account passwords.
• A small set of a few hundred files contained IT system documentation, software or architectural data, and passwords.

The announcement says the administrative investigation, launched on August 23, 2023, is set to be completed by the end of this month, and the full results and cybersecurity recommendations will be shared with the Federal Council.

The investigation's extensive duration is attributed to the complexity of analyzing unstructured data and the large volume of the leaked data, which required significant time and resources to triage documents relevant to the Federal Administration.

Also, analyzing the leaked data for evidence is legally complicated, as confidential information requires inter-agency coordination and participation, inevitably prolonging the process.