The Confederation at fault in the cyberattack on Xplain

The Confederation at fault in the cyberattack on Xplain
The Confederation at fault in the cyberattack on Xplain

Investigations into the cyberattack against the company Xplain last year found errors made by the federal police and customs offices. The company is also at fault. The Federal Council announces measures on Wednesday.

Following a ransomware attack against the Bernese company Xplain in May 2023, a large amount of personal data of the federal administration, including sensitive data, was published on the “darknet”. This data had been stored on an Xplain server.

In the three investigations launched following the attack, the Federal Data Protection Commissioner (PFPDT) found violations of the law.

The necessary data protection measures were therefore not taken when the federal offices of the police (fedpol) and the customs office (OFDF) transmitted personal data from the Confederation to Xplain. This data was then kept by Xplain in violation of data protection, and partly in violation of contractual obligations, specifies the PFPDT in a press release.

Since this data leak was made public, the Federal Council has taken or had numerous measures taken to shed light on this incident and to draw lessons from it, writes the government in a separate press release.

In particular, he ordered an external administrative investigation. A report was drawn up and adopted on Wednesday. In addition to the urgent measures taken following the attack, the Federal Council is recommending a whole series of other measures.

Security system

In particular, the administrative units of the Confederation will be required to set up and operate an information security management system (ISMS) by the end of 2026 at the latest. The ISMS allows management to manage all security processes, such as inventory of information and IT resources, risk assessment, security when collaborating with third parties, training, management of incidents or audit planning.

The federal services concerned “did not sufficiently fulfill their duties to choose their supplier carefully, as well as to adequately instruct and monitor them. They did not fulfill their duties from the point of view of data protection and have only partially fulfilled it from the angle of information security”, concludes the Federal Council.

This article was automatically published. Source: ats



PREV A Fugues columnist hits the jackpot
NEXT Discovering Valenciennes: when greeters from the North meet to share their passion