Xplain ransomware attack and Swiss federal data leak
The Play ransomware gang breached Swiss IT supplier Xplain and leaked around 65,000 documents on the darknet, including sensitive Federal Administration files from the justice, police, and defence departments.
- Victim
- Xplain AG
- records
- 65.0K
In May 2023, the Play ransomware gang compromised Xplain AG, a Swiss software and IT-services provider whose clients include the Swiss federal government, army, customs administration, and several cantonal police forces. The attackers exfiltrated and later published roughly 65,000 documents on the darknet, exposing sensitive government data in one of Switzerland's most serious supply-chain breaches.
What happened
On 23 May 2023, the Russia-linked Play ransomware operation breached Xplain's systems. Xplain โ a long-standing supplier of specialised applications to police, judicial, and military bodies โ refused to pay a ransom. On 14 June 2023, Play dumped the stolen data on its leak site.
Switzerland's National Cyber Security Centre (NCSC) launched a months-long forensic review of the leak. Its final report, published in March 2024, found that around 65,000 files had been exposed. Of these, 47,413 (about 70%) belonged to Xplain itself and 9,040 (about 14%) to the Federal Administration.
Impact
- About 65,000 documents were leaked, including approximately 9,040 Federal Administration files.
- Around 95% of the federal files came from the Federal Department of Justice and Police (FDJP), with a smaller share from the Federal Department of Defence, Civil Protection and Sport (DDPS).
- The exposed data included personal information, technical documents, passwords, and login credentials; roughly 5,000 files contained sensitive content such as personal data, classified information, or security-relevant details.
Response
The NCSC, the Federal Office of Justice, and the Office of the Attorney General investigated. The government commissioned an external administrative inquiry that scrutinised procurement practices and the handling of operational data by third-party suppliers. The inquiry sharply criticised both Xplain's security posture and federal offices for storing live operational data in test and development environments managed by the vendor.
Why it matters
The Xplain breach is Switzerland's defining third-party supply-chain incident: classified and law-enforcement data leaked not because the government's own systems were hacked, but because a trusted contractor was. It triggered tighter federal rules on data handling by suppliers, restrictions on storing production data in vendor environments, and renewed scrutiny of procurement security across the Swiss Confederation, with the case repeatedly cited when subsequent supplier breaches (such as the 2025 Radix incident) occurred.
Timeline
The Play ransomware group breaches Xplain AG, a Swiss IT supplier to federal and cantonal authorities.
Xplain detects the intrusion and notifies authorities; the company refuses to pay a ransom.
Play publishes around 65,000 stolen documents on the darknet, including Federal Administration files.
Switzerland's National Cyber Security Centre (NCSC) opens an investigation into the leaked government data.
The NCSC final report confirms 65,000 leaked files, with 9,040 belonging to the Federal Administration.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/switzerland-says-government-data-stolen-in-ransomware-attack/
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/switzerland-play-ransomware-leaked-65-000-government-documents/
- therecord.mediahttps://therecord.media/play-ransomware-leaked-government-files-swiss
- securityaffairs.comhttps://securityaffairs.com/160174/data-breach/xplain-data-breach-report.html