Xplain Play ransomware and Swiss federal documents leak (2023)
Play ransomware breached Swiss IT services provider Xplain, exfiltrating 1.3 million files. Approximately 65,000 documents belonging to the Swiss Federal Administration — including classified content, personal data, and readable passwords — were published on Play's dark-web leak site in June 2023.
- Victim
- Xplain (Swiss IT services provider to the Federal Administration)
- records
- 1.3M
On 23 May 2023, the Play ransomware group breached Xplain, a Swiss IT services provider serving the Swiss Federal Administration. The attackers exfiltrated 1.3 million files, including approximately 65,000 documents tied to the federal government, and published them on Play's dark-web leak site on 14 June 2023. The subsequent administrative investigation identified 121 documents classified under the Information Protection Ordinance, including four containing readable passwords.
What happened
Xplain provides IT services to a wide range of Swiss federal entities. When Play encrypted Xplain's environment in May 2023, the attackers also exfiltrated a vast archive of data — much of which related to customer engagements with the Federal Administration. On 14 June 2023, after Xplain refused to pay, Play published the stolen material on its leak site.
The Swiss government's post-incident inventory found:
- About 70% (~47,413 files) of the leak belonged to Xplain itself.
- About 14% (~9,040 files) belonged to the Federal Administration.
- Roughly half of the Federal Administration's leaked files contained personal data, technical information, classified content, or passwords.
- 121 documents met the criteria for classification under Switzerland's Information Protection Ordinance.
- Four of those documents contained passwords in cleartext.
A formal crisis team was established on 28 June 2023; an administrative investigation was launched on 23 August. The published findings landed in March 2024.
Impact
- 1.3 million files leaked publicly.
- ~65,000 Swiss Federal Administration documents exposed.
- 121 classified documents identified in the leak.
- 4 documents contained readable passwords.
- Triggered a federal-government policy review of contractor data-handling practices.
Why it matters
Xplain is the clearest European case of a government-contractor breach turning into a sovereign data leak. The Swiss government's investigation is unusual for its public detail: how much was lost, how much was classified, how many passwords were left in plaintext inside files that should never have been exfiltrated in the first place. Every government procurement department in Europe now references it when writing contractor data-handling clauses.
Timeline
Play ransomware operators breach Xplain, exfiltrating 1.3 million files including data tied to the Swiss Federal Administration.
Play publishes the stolen data — approximately 65,000 documents belonging to the Federal Administration — on its dark-web leak site.
Swiss authorities form a policy-strategy crisis team to coordinate the federal response.
An administrative investigation is officially launched to determine the scope of federal data exposure at Xplain.
Investigation findings: 121 objects classified under the Information Protection Ordinance; 4 contain readable passwords. About half of the leaked Federal Administration files contain sensitive content — personal data, technical information, classified information, or credentials.
Sources
- securityaffairs.comhttps://securityaffairs.com/160174/data-breach/xplain-data-breach-report.html
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/switzerland-play-ransomware-leaked-65-000-government-documents/
- therecord.mediahttps://therecord.media/play-ransomware-leaked-government-files-swiss
- theregister.comhttps://www.theregister.com/2024/03/08/swiss_government_files_ransomware/
- hackread.comhttps://hackread.com/xplain-hack-play-ransomware-leak-swiss-govt-data/