Xplain case: “Correct lessons learned from the incident”
Published: Thursday, Jun 6th 2024, 11:40
Back to Live Feed
The Confederation has drawn the right conclusions from the Xplain case and the theft of data by criminals. This is the opinion of the responsible subcommittee of the Control Committee of the Council of States (CPC-S).
"We have been convinced that the right lessons have been learned from the incident," said its President Pirmin Schwander on Thursday. The SVP member of the Council of States from Schwyz made this statement while discussing the Federal Council's 2023 Annual Report.
Among other things, Schwander said that since the data leak was investigated, employees of the Bern-based IT company Xplain were only allowed to work with so-called productive data under the supervision of the federal government and on federal government premises. This is data that is in live use.
Various federal offices had weighed up their interests as to whether they wanted to continue working with Xplain or not. According to Schwander, breaking off the collaboration would mean that IT contracts would have to be put out to tender again. Almost everywhere it was decided to continue working with Xplain.
However, Schwander encouraged the Federal Administration to also consider younger, less established companies when awarding contracts. He also said that as a result of the data leak at Xplain, the Federal Administration had reviewed the approximately 7600 existing IT contracts. Inadequate provisions had been identified in around 660 security-relevant contracts. Renegotiations are now underway.
Hoogan data landed on the Internet
The cyberattack on the IT service provider Xplain became known in May 2023. The hackers used ransomware to attack a vulnerability on the IT service provider's servers and stole data from the Federal Administration. Because they did not receive a ransom, they published the data on the darknet.
At the beginning of May this year, the Federal Data Protection and Information Commissioner (FDPIC) published three investigation reports on the data leak. He came to the conclusion that both the Confederation and Xplain had made mistakes and made a number of recommendations.
Xplain and two federal offices concerned subsequently announced that they accepted the recommendations. The Federal Council also decided on a series of measures to prevent future data leaks.
©Keystone/SDA
English 
German 
French 
Spanish 
Arabic