El responsable de protección de datos ve errores en el Gobierno federal y en Xplain tras el ataque de hackers
Published: Wednesday, May 1st 2024, 13:20
Volver a Live Feed
In the case of the cyberattack by criminals on the internet company Xplain, both the federal government and the Bernese IT company made mistakes. This is what the Federal Data Protection Commissioner writes in three investigation reports published on Wednesday.
Neither the Federal Office of Police (Fedpol) nor the Federal Office for Customs and Border Security (FOCBS) had clearly agreed with Xplain the conditions under which personal data could be stored on the Xplain server. This is stated in the communication from the Federal Data Protection and Information Commissioner (Edöb).
The federal authorities should have explicitly stated the extent to which personal data could be transmitted to the Bern-based company and stored by Xplain. Without these precise requirements, "a collection of unstructured data" was ultimately created on Xplain's server. Edöb also considers the amount of personal data transmitted to be disproportionate.
Xplain had no access to the databases of the two federal offices. However, the company should have known for Edöb that the support functions it programmed could also contain personal data. "For these processing operations, Xplain, as the processor, did not take appropriate measures to ensure data security (...)."
Xplain had also violated the data protection principles of purpose limitation and proportionality. In addition, personal data had been stored in breach of contract despite the existence of individual contractual deletion obligations.
External investigation report also available
The cyberattack on the IT service provider Xplain became known on May 23. The hackers used ransomware to attack a vulnerability on the servers of IT service provider Xplain and stole data from the Federal Administration. Because they did not receive a ransom, they published the data on the darknet.
Among other things, personal data from the military police and details of people who were listed in the Hoogan hooligan information system in 2015 ended up on the darknet.
Not only Edöb, but also the Federal Council reacted to the data leak. It set up a crisis team called "Data Outflow" to ensure that the data outflow does not continue. It also commissioned a Geneva law firm to carry out an administrative investigation by the end of March.
As the state government announced on Wednesday, the Geneva lawyers have also come to the conclusion that the federal agencies concerned made mistakes. Suppliers had not been selected carefully enough and had not been properly instructed and monitored.
Federal Council adopts measures
Following the external investigation, the Federal Council decided on measures to prevent future data leaks. Firstly, it wants to strengthen the Confederation's security management by requiring the administration to draw up additional security guidelines for cooperation with suppliers by the end of 2024.
Secondly, the national government will have a training concept for training and sensitizing employees drawn up by the end of the year. Thirdly, the Federal Council will have an overview of the existing means of communication drawn up.
The Federal Council writes that cybersecurity at the Confederation is also improving thanks to the Information Security Act (ISG) that came into force at the beginning of the year. Edöb Adrian Lobsiger has sent recommendations to the two federal offices and Xplain.
The latter announced on Wednesday that most of Lobsiger's recommendations had already been implemented or had been adapted in the course of the new construction of the IT infrastructure last year. The Office of the Attorney General of Switzerland is conducting two criminal proceedings in the case of the cyberattack on Xplain.
©Keystone/SDA
Spanish 
English 
German 
French 
Arabic