Swiss cheese security? Play ransomware gang milks government of 65,000 files

Classified docs, readable passwords, and thousands of personal information nabbed in Xplain breach

The Swiss government had around 65,000 files related to it stolen by the Play ransomware gang during an attack on an IT supplier, its National Cyber Security Center (NCSC) says.

A total of 1.3 million files were stolen during the incident at software biz Xplain in May 2023, meaning 5 percent of the entire trove related to the Swiss Federal Administration – a collection of seven federal agencies that alongside the Federal Council comprise the main government departments.

Among them were classified files and sensitive, personally identifiable information (PII) – all of which are believed to be published on the dark web.

The vast majority of the files (95 percent) were related to the administrative units of various government arms including those concerning justice, police, migration, and internal IT. A smaller proportion (3 percent) related to the Federal Department of Defense, Civil Protection, and Sport, while other departments are only described as being "marginally affected."

Despite 65,000 files concerning the Swiss government, the NCSC said 47,413 of these belonged to Xplain itself and 9,040 belonged to the Federal Administration. More than half of these (5,182) included sensitive content such as PII, classified files, passwords, and technical documentation.

Personal data formed the bulk of this, with names, email addresses, home addresses, and phone numbers accounting for 4,779 of the sensitive files.

Technical documentation on IT systems and software – requirement documents and architecture information – accounted for 278 of these files. Classified files comprised the remaining sensitive files that were stolen, only four of which contained readable passwords, the NCSC said.

"A considerable amount of analysis was required to determine how much data was leaked and the owners of the leaked data," it said in a statement accompanying the full report, available only in German and French. 

"Suitable tools were required to process unstructured data records and make their contents readable. The objects identified as relevant then had to be manually viewed and categorized. 

"The various federal offices and service providers involved worked closely under the lead of the NCSC to manage the security incident. This allowed all parties to utilize synergies, make effective use of resources, and save valuable time."

An administrative investigation was launched in August 2023 to fully understand how the breach at Xplain took place and is set to conclude this month. The resulting report will then provide actionable recommendations for the Federal Council to apply with a view to preventing future breaches. ®

More about


Send us news

Other stories you might like