Hacker attack on Xplain: Impact on the Federal Office for Customs and Border Security and measures taken

At the beginning of June, it became publicly known that the Swiss company Xplain, a provider of software for security authorities and emergency services, had been the victim of a ransomware attack by the hacker group Play. Since Xplain, in consultation with the prosecution authorities and the federal government, did not respond to the ransom demands, the hackers published what is presumed to be the entire stolen data package on the darknet in mid-June 2023. The Federal Office for Customs and Border Security (FOCBS) – among other administrative units – is also affected by the data theft.

The ransomware group Play managed to access and encrypt a large amount of data stored on Xplain's IT systems. After an unsuccessful blackmail attempt, the data was subsequently published on the darknet. Xplain informed the National Cybersecurity Centre (NCSC) of the cyberincident and filed criminal charges with the Bern Cantonal Police.

On 23 May 2023, the FOCBS was informed by Xplain about the data theft and the further incidents. After the incident became known, the FOCBS filed criminal charges against persons unknown with the Office of the Attorney General of Switzerland and informed the Federal Data Protection and Information Commissioner (FDPIC) about the incident.

According to current information, the stolen data includes personal data (e.g. surname, first name, date of birth, passport number) and, in certain cases, sensitive data of private individuals (e.g. facial images). According to current information, this data comes from testing and/or error reports and log files of the border control system eneXs, which the FOCBS uses during border control processes mainly to check individuals at the Schengen external and internal borders. To the best of our knowledge, there are no indications that FOCBS documents classified as confidential and/or secret (in accordance with the Information Protection Ordinance, SR 510.411) are affected by this data theft.

The border control system eneXs was developed by Xplain in 2009 on behalf of the FOCBS. Among other things, eneXs can be used to compare identity documents with national and European information systems and to check the authenticity of identity documents. These checks are a key element in ensuring Switzerland's internal security. The eneXs application does not store any data. During border checks, the relevant information is only called up and temporarily displayed.

The FOCBS concluded an IT work contract with Xplain for the delivery, maintenance and support of the eneXs software. As part of the software's support, further development and maintenance, it is customary for error reports and test data to be sent to Xplain. The ongoing investigations are focusing, among other things, on clarifying the circumstances and conditions under which the leaked data was transferred to Xplain and remained there. In this context, it should be emphasised that the stolen data has no influence on the FOCBS's operations.

The FOCBS is taking this incident very seriously. The data downloaded from the darknet is being analysed and examined by FOCBS specialists in order to evaluate the extent of the data theft and to determine further necessary measures.

The analysis of the incident and the evaluation of the data related to the FOCBS have not yet been completed. The FOCBS is directly and actively informing the affected individuals whose privacy rights have been particularly affected by the data theft and who may be subject to disadvantages as a result. Current evaluations indicate that around 60 individuals have been affected by the theft of sensitive data.

If any new findings come to light, the FOCBS will provide timely and transparent information on this website.

The National Cybersecurity Centre (NCSC) is coordinating the ongoing clarifications and measures within the Federal Administration. The FOCBS is in close contact with the NCSC. Furthermore, the Federal Council convened a policy strategy crisis team on 28 June 2023, which is coordinating the ongoing work across departments and proposing measures. In addition, existing contracts with federal IT service providers will be reviewed and, if necessary, amended in such a way that the cybersecurity of the service providers is improved and the federal government can react quickly in the event of a successful attack.  

We kindly ask you to contact the FOCBS information office if you have any further questions about the matter.