Hacker attack on Xplain: Impact on fedpol and measures taken

At the beginning of June 2023, it became publicly known that the Swiss company Xplain, a provider of software for security authorities and the emergency services, had been the victim of a ransomware attack by the hacker group Play. In consultation with the prosecution authorities and the federal government, Xplain did not respond to the ransom demands; the hackers subsequently published the entire stolen data package on the darknet in mid-June 2023. fedpol – along with other federal and cantonal administrative units – was also affected by the data theft.

Xplain informed the National Cybersecurity Centre (NCSC) of the incident and filed criminal charges with the Bern Cantonal Police. Xplain informed fedpol of the data theft on 23 May 2023.

After the incident became known, fedpol filed criminal charges against persons unknown with the Office of the Attorney General of Switzerland and informed the Federal Data Protection and Information Commissioner (FDPIC) about the data leak.

How is fedpol affected

Of the total volume of data known to have been stolen and published on the darknet, fedpol-related data accounts for less than 10% according to the current state of knowledge (as of September 2023). Thanks to its own analysis, fedpol was able to establish early on that the data published includes operational data and immediately took precautionary measures to protect persons, data, infrastructures and objects as well as ongoing procedures.

According to current information, the stolen data includes personal data (e.g. surname first name, date of birth) and in some cases sensitive personal data of individuals (e.g. facial images). The analysis revealed that this data includes an eight-year-old XML file containing excerpts of data from the HOOGAN information system. HOOGAN records entries on individuals who have behaved violently at sporting events at home and abroad and against whom the respective canton or fedpol has ordered a measure in line with Article 24a ISA. The XML file, which was published on the darknet, contains a technical code with the data of 766 persons who in September 2015 were registered in the Hoogan information system. The file does not contain any information on offences or measures ordered (see press release of 12.7.2023 available in German, French, and Italian).

How fedpol is informing those affected and the public

fedpol is taking its responsibility as a data controller seriously – if fedpol data has been leaked by a supplier and results in a possible breach of privacy rights or individuals being potentially put at risk of harm, fedpol will actively and directly inform the individuals concerned. This is irrespective of whether the supplier has acted wrongly or not.

In the interest of transparency, fedpol has decided to issue a press release if the data theft affects numerous individuals to the same extent and there are verified facts – as is the case with the HOOGAN data. In doing so, fedpol respects data protection and protects privacy and procedural rights.

Close coordination with other federal authorities

The National Cybersecurity Centre (NCSC) is coordinating the ongoing clarifications and measures within the Federal Administration, and fedpol is maintaining close contact with the NCSC. On 28 June 2023, the Federal Council convened a policy strategy crisis team to monitor the situation and coordinate the cross-departmental management and analysis of the incident, and propose measures. In addition, the federal procurement authority is reviewing existing contracts with federal IT service providers and, if necessary, adapting them so that service providers meet their cyber security obligations. This is to ensure that the federal government can react quickly in the event of a successful attack on an external service provider. Finally, the federal government is examining how to ensure that the essential services currently provided by Xplain to fedpol and other security authorities and the emergency services can continue to be guaranteed.

Contact for the public

fedpol has reviewed the set of data published on the darknet from the Xplain ransomware attack and has analysed fedpol-related files. If you are concerned that your personal data may also be contained in the published fedpol files stolen from Xplain, you can contact us using the form.  

Last modification 11.09.2023

Top of page