Hacker attack on Xplain: National Cyber Security Centre publishes data analysis report

Bern, 07.03.2024 - The National Cyber Security Centre (NCSC) took over responsibility for incident management in the Federal Administration in the wake of the hacker attack on Xplain, a major provider of IT services to national and cantonal authorities. Part of its activities involved analysing the data that the perpetrators published on the darknet. The NCSC released a report today explaining its analysis and providing information on what type of data was affected and the challenges associated with analysing the data. The report does not evaluate the content of the data, nor does it analyse why certain data was leaked. The latter question will be clarified as part of the ongoing administrative investigation.

As part of a ransomware attack on Xplain, the hacker group known as Play stole data and published what is presumed to be the entire stolen data package on the darknet on 14 June 2023. This included classified information and sensitive personal data from the Federal Administration. The National Cyber Security Centre (NCSC) led the incident response, defined measures to restore the security of the systems and carried out a comprehensive analysis of the published data.

The NCSC is now publishing a report on the procedure and results of the data analysis as part of the process to manage the incident and ensure maximum transparency. The aim is to provide an overview of the type of data affected and to outline the challenges involved in analysing the data.

Relevance of the published data volume

The data package published on the darknet comprised around 1.3 million files. Once the data had been downloaded, the NCSC took the lead in systematically categorising and triaging all documents relevant to the Federal Administration. The results showed that the volume of data relevant to the Federal Administration comprised around 65,000 documents, or approximately 5% of the total published data set. The majority of these files belonged to Xplain (47,413) with a share of over 70%; around 14% (9,040) belonged to the Federal Administration. Around 95% of the Federal Administration’s files belonged to the administrative units of the Federal Department of Justice and Police (FDJP): the Federal Office of Justice, Federal Office of Police, State Secretariat for Migration and the internal IT service centre ISC-FDJP. With just over 3% of the data, the Federal Department of Defence, Civil Protection and Sport (DDPS) is slightly affected and the other departments are only marginally affected in terms of volume.

Proportion of sensitive data

Sensitive content such as personal data, technical information, classified information and passwords was found in around half of the Federal Administration's files (5,182). Personal data such as names, email addresses, telephone numbers and postal addresses were found in 4,779 of these files. In addition, 278 files contained technical information such as documentation on IT systems, software requirement documents or architectural descriptions, 121 objects were classified in accordance with the Information Protection Ordinance and 4 objects contained readable passwords.

Challenges of the analysis

A considerable amount of analysis was required to determine how much data was leaked and the owners of the leaked data. Suitable tools were required to process unstructured data records and make their contents readable. The objects identified as relevant then had to be manually viewed and categorised. The various federal offices and service providers involved worked closely under the lead of the NCSC to manage the security incident. This allowed all parties to utilise synergies, make effective use of resources and save valuable time.

Administrative investigation

The Federal Council mandated a policy strategy crisis team on data leaks (PSC-D) on 28 June 2023 and ordered an administrative investigation on 23 August 2023 in order to fully understand the data leak at Xplain. The administrative investigation is to be completed by the end of March 2024. The Federal Council will then be informed of the results and recommendations so that it can decide on how to proceed.

Address for enquiries

Communication NCSC
+41 58 465 04 64


National Cyber Security Centre

General Secretariat DDPS