The cantonal administration of Aargau violated data protection regulations in the lead-up to the data theft from the software company Xplain. The cantonal public and data protection officer therefore sharply criticized the administration in a report. The release of the data was “inadmissible”.
In concrete terms, the canton had provided the government software supplier with productive data that was particularly deserving of protection. The ransomware gang ‘Play’ carried out a hacker attack on Xplain in the first half of 2023 and downloaded a huge amount of data, Watson made public. Because Xplain did not pay a ransom, ‘Play’ published more than 900 GB of stolen data on the dark web.
What did the people of Aargau do wrong?
According to the Aargau Government Council, the Aargau Ministry of Economic Affairs and Home Affairs (DVI) provided the data to Xplain as part of software development projects. The administration played a role in ensuring that sensitive data was stored at the company and could be stolen. The canton has been working with the company in Interlaken BE for about ten years.
“The processing of particularly sensitive personal data outside the cantonal IT infrastructure was not provided for in the contracts with Xplain,” the report said. Therefore, Xplain has not received any guidelines to ensure data security when processing particularly sensitive personal data.
“However, this does not change the need for data protection,” says data protection officer Gunhilt Kersten in the report: “The transfer of productive data, in particular particularly sensitive personal data, to Xplain AG was therefore not permitted.” The report from the end of December appeared on the canton’s website.
Do not use sensitive data for testing
The General Terms and Conditions of the Canton of Aargau on Information Security and Data Protection (ISDS) explicitly state that “productive data may not under any circumstances be used for testing purposes” when providing IT services, the report continues.
According to the report, the Ministry of Interior claimed that productive data was never sent to the service provider for testing purposes, but rather for software development.
This also includes operational scans and screenshots of customer relationships, individually scanned orders, writs, judicial decisions and administrative decisions, as well as data from the cantonal population register and from JustThis (criminal law business administration) and Polaris (police business administration).
“These are also productive personal data that deserve special protection. This data was passed on to Xplain AG by departments of the DVI or the cantonal police,” said the data protection officer’s report.
The DVI did not further clarify whether a transfer of productive data to Xplain was necessary or whether the goals could also have been achieved on the canton’s infrastructure or by using test or anonymized data.
After the Xplain data theft, the hacker group “Play” published a total of 32 gigabytes of data from the DVI. Business contact details of employees of the Office for Migration and Integration of the Canton of Aargau (MIKA) and the cantonal police, as well as contact details of municipalities and social services, were published, among others.
What does the data protection officer recommend?
The data protection officer complains that it was not noticed in the context of internal supervision that the responsible authorities had made unauthorized disclosures of data to Xplain AG.
The data protection officer recommends checking the internal processes of the DVI to see whether the timely implementation of data protection impact assessments is sufficiently anchored in them. It should also be made clear who within the DVI is responsible for compliance with data protection regulations.
(dsc/sda)
Source: Watson
I’m Ella Sammie, author specializing in the Technology sector. I have been writing for 24 Instatnt News since 2020, and am passionate about staying up to date with the latest developments in this ever-changing industry.
