Information on the data leakage at Xplain

At the end of May 2023, it became known that Xplain, a Swiss provider of government software, had fallen victim to a ransomware attack. In a ransomware attack, the victim's files are encrypted and thus rendered unusable so that a ransom can be extorted. Thereby, a hacker group under the name "Play" has stolen large amounts of data. This includes operational data of the Federal Administration generated by the ongoing operation of the Federal Administration’s information systems.

Since Xplain, in agreement with the law enforcement authorities and the National Cyber Security Centre (NCSC), had not paid a ransom to the hackers, they published the stolen data package on the darknet on 14 June 2023.

Since this data leakage became known, the NCSC has established an organisation to deal with the incident in close cooperation with the authorities concerned. Intensive work is underway to evaluate and analyse the stolen data. The Confederation has also initiated measures to minimise the security risk for the Federal Administration.

There are still no indications of direct attacks on federal systems. Since operational data is affected by the attack, various Federal Administration units have filed criminal charges or are considering similar steps. The aim of this is to clarify the circumstances that led to Federal Administration data ending up on the Xplain system.

The Federal Office of Justice is also affected

The data leakage at Xplain also includes personal data for which the Federal Office of Justice (FOJ) is responsible for processing.

According to the current status of the analyses, this involves data in connection with the FOJ's tasks in the area of international mutual legal assistance in criminal matters. This concerns extradition, other mutual legal assistance measures, the delegation of criminal prosecution and execution, and the transfer of convicted persons.

Individuals who are particularly affected are informed directly by the FOJ by personal letter. Other requests in this context will be accepted exclusively via the form below.

The FOJ has notified the Federal Data Protection and Information Commissioner (FDPIC) of the incident. The available information on this incident will be supplemented continuously according to the state of knowledge.