EDÖB/PFPDT/IFPDT (Switzerland) - Concevis: Difference between revisions

Following a ransomware attack, the Federal Data Protection and Transparency Officer advised Concevis, a software engineering firm, to improve their contracts with services providers and include in such contracts the life cycle of data.

English Summary

Facts

After a ransomware attack happened in November 2023 to the company Concevis, the controller, data of its clients, among which the Federal Statistical Office fell into the hands of the attackers.

Subsequently, the Federal Data Protection and Transparency Officer (hereinafter: DPA) started a preliminary investigation against the controller and the Federal Statistical Office.

Holding

The DPA conducted the preliminary investigation and found that there was no ground to continue with a formal investigation under the meaning of Article 49 Loi sur la Protection des Données (LPD).

The preliminary investigation revealed that the data was correctly encrypted and that it was unlikely that the attackers were able to access them. However, the DPA highlighted some element worth of correction, namely the fact that the administrative units of the Federal Statistical Office should concluded contracts with services providers more clearly and should have included in such contracts the life cycle of data, from it being collected to it being deleted. It also highlighted the need for the controller and the Federal Statistical Office to recognize the competence of the DPA to carry out audits and the need to comply with the requirements laid out in the Xplain decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

20.12.2024 - Closure of an informal preliminary investigation into indications of violations of data protection regulations

Closure of an informal preliminary investigation into indications of violations of data protection regulations

20.12.2024 – In November 2023, the software company Concevis was the victim of a ransomware attack. The Federal Statistical Office (FSO) was one of its customers. Both the FSO and Concevis reported the incident to the FDPIC, since FSO data had possibly fallen into the hands of the perpetrators of the attack. The FDPIC then opened an informal preliminary investigation against the FSO and Concevis and informed the public in a brief.

The FDPIC’s examination concluded that the opening of a formal investigation within the meaning of Art. 49 LPD was not necessary, as no serious breaches were found. Furthermore, the data affected by the cyberattack were encrypted and it is unlikely that the perpetrators of the attack could have read them. However, the FDPIC found that certain elements relating to the processing of data between the FSO and Concevis should have been defined more clearly. It therefore stressed that contracts concluded by administrative units of the Confederation with service providers must precisely define the life cycle of the data, from their entry to their destruction. It also noted the need to clearly regulate the possibility for the office or external service providers to carry out checks and audits. Finally, the FDPIC reminded the FSO and Concevis of the recommendations issued in the Xplain case, which are of general scope.