Xplain Hack: Military Police Personal Data Hit

Excerpts from military police reports and the personal details of about 720 users of the platform have surfaced on the dark web. The data was stolen from the military during a hacker attack on IT service provider Xplain. A report has been filed against unknown persons.

According to a statement from the Defense Group and the General Secretariat of the Defense Ministry on Thursday, the army’s IT infrastructure is not affected by the hacker attack. The information on the dark web does not affect the operational missions of the military and does not pose a potential threat to the military and its partner organizations, but security oversight has also been strengthened.

The data was found during research into the ransomware attack on IT service provider Xplain in June, whose customer is the military. The hacker attack affected fragments of extracts from the military police’s diary and report management system called “Jorasys”, as well as incomplete and partially outdated user profiles of military police members.

“No risks” for affected individuals

According to the military, the data published on the Darknet are not complete data sets, but log data that Xplain used to analyze operational errors. The fragments are from the years 2018, 2022 and 2023.

This concerns data of persons subject to military criminal law and of third parties that are registered following incidents related to the army or members of the army. In addition, the perpetrators published a list from 2020 on the Darknet with about 720 active and inactive ‘Jorasys’ users from the military.

According to the military, there are no risks for the people on the stolen list. Similar information is available in public records such as the federal state calendar or other public sources. In addition, the military has informed and sensitized affected active and inactive “Jorasys” users as well as other affected people.

Various victims

The Marechaussee system, like the associated data storage, runs on a secure IT infrastructure of the army, it was also said. The military police continue to use the program.

To clarify the circumstances under which the data could end up on a private company’s file system and be attacked there, the defense group has filed a criminal complaint against unknown persons.

In mid-July it was already known that an eight-year extract from the hooligan information system Hoogan had appeared on the dark web. The data of more than 760 people was stolen from the Federal Police Station (Fedpol) during a hacker attack.

Administrative investigation started

The cyber attack on IT service provider Xplain was made public by Watson on May 23. The ransomware gang Play published a corresponding threat on their “Name and Shame” page on the dark web.

The cyber criminals had previously exploited a vulnerability on the servers of IT service provider Xplain and then steal data from the federal government unnoticed. Since they subsequently did not receive the demanded ransom, they allegedly published all the captured data on the dark web.

At the end of June, the Federal Council approved the mandate for a crisis team called “Data Outflow” to coordinate post-attack operations. It must be ensured that this outflow of data does not continue and that such a thing will no longer be possible in the future, said Federal Councilor Karin Keller-Sutter at the time.

The Federal Council ordered the investigation on Wednesday. Geneva law firm Oberson Abels SA was instructed to act as an independent body. The study is expected to be completed by the end of March 2024.

The administrative investigation must show what circumstances on the part of the federal government made it possible for the Interlaken company Xplain to come into possession of the data. In addition, it should be clarified whether the federal government has fulfilled its obligations to oversee Xplain. The Geneva law firm must also develop solutions and recommendations to mitigate security risks.

(hah/sda)