Xplain data breach impacts Swiss national railway FSS and canton of Aargau

The recent Play ransomware attack on IT services provider Xplain has significantly impacted Switzerland’s national railway company, FSS, and the canton of Aargau.

Swiss authorities initiated an investigation into the cyberattack, which targeted Bern-based Xplain, which provides services to various federal and cantonal government departments, including the army, customs, and the Federal Office of Police (Fedpol).

According to the Swiss newspaper Le Temps, which first reported the attack, this cyberattack marks the first time several cantonal police forces, the Swiss army, and Fedpol have been indirectly affected since they share a common IT service provider, Xplain, for security. Local media reports indicate that the attackers exploited a vulnerability in Xplain’s servers.

While Fedpol and the federal customs office confirmed the attack, they attempted to downplay the severity of the incident. Fedpol stated that the threat actors only accessed simulated, anonymous data for testing purposes. Xplain recently notified Fedpol about the attack, and according to a Fedpol spokesman, the agency’s projects were not compromised.

Initially, threat actors published alleged stolen data from Fedpol and the Federal Office for Customs and Border Security (FOCBS) on a Darknet forum. The Federal Office for Customs and Border Security (FOCBS) acknowledged that some of its data, related to client correspondence, was exposed in the breach.

NZZ am Sonntag magazine initially reported the data leak from FSS, which the Swiss railway company later confirmed. Authorities in the canton of Aargau also confirmed the data breach.

According to the RSI website, Aargau authorities believe that a small amount of operational data from error logs stored at Xplain for analysis may have been affected in addition to company correspondence.