FDPIC concludes investigations into the company Xplain and the federal offices fedpol and FOCBS

Bern, 01.05.2024 - In the three investigations, the FDPIC found violations of the Data Protection Act attributable to errors in the support process. The results of the investigations show that personal data from fedpol and the FOCBS were transferred to Xplain without the required data protection precautions being taken. The data were subsequently stored by Xplain in breach of data protection requirements and in some cases in breach of contractual obligations.

Following the ransomware incident at the company Xplain in May 2023, a large volume of personal data from the Federal Administration, including sensitive personal data, was published on the darknet. This data had been stored on an Xplain server. The FDPIC subsequently opened an investigation into the Federal Office of Police (fedpol) and the Federal Office for Customs and Border Security (FOCBS) on 20 June 2023, and into the company Xplain on 13 July 2023. In particular, it investigated the circumstances in which the data was transferred to Xplain by the federal offices under investigation and thereafter stored on Xplain's server.

In its reports, the FDPIC concludes that neither fedpol nor the FOCBS had reached any clear agreement with Xplain on whether and if so on what terms personal data could be stored on Xplain's servers as part of support services that the company provided. The extent to which personal data could be transferred to Xplain and stored by Xplain should have been expressly regulated. The actual process was designed in such a way that personal data was sent to Xplain in the course of support cases without precise requirements for the transfer and compliance with data security at Xplain being defined. As a result, a collection of unstructured data from the federal offices was held on the Xplain server. The FDPIC also found that an unnecessarily large volume of personal data was transferred as part of this process.

Xplain had no access to the fedpol or FOCBS databases. However, the company must have been aware that the support functions it had programmed could also contain personal data and that this would be processed on its server as part of the support processes. Xplain, as the processor, failed in these processing operations to take appropriate measures in accordance with the best practices to ensure data security or information protection. With regard to the retention of personal data from the Federal Administration, Xplain violated the data protection principles of purpose limitation and proportionality. In addition, Xplain retained the personal data in breach of contract, as it was subject to contractual obligations to delete the data in certain cases.

The FDPIC has issued recommendations to the FOCBS, fedpol and Xplain, the implementation of which should minimise the risks of further data protection breaches. The three parties have thirty days to inform the FDPIC whether they accept the recommendations.

Note: Parallel to the investigation conducted by the FDPIC as an independent investigative authority under the Data Protection Act, the Federal Council has conducted an administrative investigation in terms of the Government and Administration Organisation Act, which also dealt with the data leak at Xplain AG and whose final report will also be published on 1 May 2024. The two studies were conducted independently of each other.

Address for enquiries

Federal Data Protection and Information Commissioner (FDPIC), Katja Zürcher-Mäder, Tel. +41 58 462 99 31, [email protected]

• Documents

Publisher

Federal Data Protection and Information Commissioner
https://www.edoeb.admin.ch/edoeb/en/home.html