After the ransomware attack on the company Xplain, fedpol set up a task force; a crisis team comprising experts from various departments.

Ransomware attack on Xplain: The fedpol task force

Switzerland faces a growing threat from ransomware attacks. Criminals hack into computer systems, steal or encrypt data and extort money from companies. After an attack on a fedpol service provider, extensive incident management was required.

Ransomware attacks are becoming a serious threat for Switzerland. Criminals exploit vulnerabilities in the security of computer systems to gain access, and then steal or encrypt data. Extortion is often involved. The hackers’ ultimatum: pay up or the stolen data becomes public or permanently inaccessible. For the organisations concerned, the cost involved is enormous in terms of personnel, management and money. Ransomware attacks go far beyond an immediate loss of data, as they not only cause long-term financial damage to companies and individuals, but also damage to reputations.

In Switzerland, several companies were the target of such attacks in 2023, including the company Xplain. The hacker group ‹Play› – professionals who use this method to blackmail hundreds of companies every year – attacked Xplain in the spring. Xplain’s main customers: the cantonal and federal authorities, including fedpol.

«We bore a heavy burden of responsibility, but at the same time I was also aware of how closely we were working together at fedpol and appreciated the immense support my colleagues were giving me.»

Dominic*, police analyst

A ransomware attack on a service provider can also have serious repercussions for the provider’s clients:
After the attack on Xplain, fedpol immediately set up a task force – an in-house crisis team comprising experts from various departments. Dealing with the possible consequences of the attack on fedpol’s service provider became a top priority. At times, over 60 staff were working round the clock; their day-to-day business had to be handled by colleagues. The task force’s mission:

  • to identify and analyse the stolen data;
  • to bring in measures to protect people, infrastructure and data;
  • to notify other organisations affected;
  • to provide legal support in identifying shortcomings in invitations to tender and contracts so as to prevent future incidents;
  • to support partners within the Federal Administration;
  • to provide internal and external communication services;
  • and, above all, to learn from the experience.

Read the report by Dominic*, a police analyst involved, to find out more about working in the task force.

Report by Dominic*, a police analyst in the task force

When I was assigned to the task force, my everyday work as a police analyst was completely turned upside down from one day to the next. Along with my superior, I was given the task of setting up an intelligence and analysis centre for the task force, both physically and structurally. We worked day and night, sometimes up to 16 hours at a time, even at weekends. We bore a heavy burden of responsibility, but at the same time I was also aware of how closely we were working together at fedpol and appreciated the immense support my colleagues were giving me.

Day-to-day business continued alongside the task force. I was always able to count on the valuable support of my team in dealing with this. Despite the hardships, I always realised that we had to overcome this crisis. This gave me additional drive and motivation. Even at home, family and friends showed a great deal of understanding for my unusual situation, even though I was not allowed to talk about what we were doing.

It fills me with pride to have been part of the task force, which worked tirelessly. It was an extremely enriching experience; I learnt a lot and got to know many new colleagues. This job has changed me and shown me how important it is to stick together and support each other in times of crisis. It reminded me that we are stronger together

fedpol immediately informed the Federal Data Protection Commissioner (FDPIC) and filed a criminal complaint, even though the perpetrators are still unidentified. An independent body has been tasked with finding out how fedpol data, some sensitive, ended up on Xplain’s servers and remained there.

At the time of publication of this text, in addition to the criminal proceedings against persons unknown and the FDPIC’s investigations, an administrative investigation is underway, commissioned by the Federal Council. Lots of questions remain unanswered. Even if many lessons have already been learnt from the case, they are not conclusive. But one thing is certain: the dedication of fedpol’s task force has made a significant contribution to averting potential risks to people, data and infrastructure.

* Name changed

Seek and you shall find