Keystone
The investigations into the cyberattack suffered by the company Xplain have highlighted errors on the part of the federal police and customs offices, as well as by the IT company itself. For this reason, the Federal Council today adopted several countermeasures.
According to a note today from the Federal Data Protection and Information Commissioner (FDPIC), personal data from the Federal Office of Police (fedpol) and the Federal Office for Customs and Border Security (UDSC) have been transferred to the company Xplain without the necessary data protection measures.
Furthermore, the latter retained them in contravention of data protection regulations and partly also of the stipulated contracts.
The initial situation
After the attack on Xplain in May 2023, numerous personal data from the Federal Administration were published on the darknet, including personal data worthy of protection. This data was stored on an Xplain server.
Hence the opening of three investigations which revealed that neither fedpol nor the UDSC had clearly agreed whether it was permitted, and if so under what conditions, to store personal data on the Xplain server as part of the support activities provided by this company. ‘last. Data from federal offices has therefore accumulated on the Xplain server. The FDPIC also found that the amount of personal data transmitted as part of this process was disproportionate.
Shortcomings on Xplain’s part
For its part, Xplain, which had no possibility of accessing the databases of fedpol and the UDSC, should have known that the support functions, which it itself programmed, could also contain personal data and that the latter would be processed on its server.
For these treatments, Xplain has not adopted adequate measures to guarantee data security and information protection according to good practice (best practice). Xplain therefore violated two data protection principles: that of intended destination and that of proportionality. Furthermore, although the contracts sporadically included deletion obligations, the company retained this information in violation of the contracts.
Government countermeasures
In parallel with the work of “Data Mister” and on the basis of an internal administrative investigation, the Federal Council today took measures to prevent future information leaks at IT application providers by the end of the year.
In particular, security management will need to be strengthened, inter alia by introducing additional rules for collaboration with suppliers. The ability to control and carry out checks must be supported. A training plan specific to the functions must also be developed to train and raise awareness of collaborators on the current safety requirements. Finally, an overview of the means of communication available to the federal authorities will be created.
To further improve the security of the Confederation’s data, the Executive has instructed the Federal Department of Defence, Civil Protection and Sport (DDPS) to review the basic protection of the Confederation’s ICT by the end of 2024 and to propose possible adjustments. Within the same deadline, the Federal Office for Cybersecurity (FOCS) will have to indicate how the coordination between the Confederation, Cantons and suppliers in the management of cyberattacks takes place in practice and what criteria are used to evaluate their extent.
These measures are added, the note recalls, to the law on information security which came into force at the beginning of the year aimed at improving security in a systematic and lasting way. In particular, administrative units are also required to establish and operate an information security management system by the end of 2026 at the latest.
This system allows management to carry out all security processes, such as the inventory of information and IT resources, risk assessments, security in collaboration with third parties, training, incident management or audit planning.
cp, ats
