Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

Cyberattack Exposes Swiss Tax Administration Data

Executive Summary

A recent incident in Switzerland has raised concerns about a data breach. The attackers have targeted software company Concevis, led to data encryption, potential data breaches, and a threat to publish sensitive personal information on the darknet.

The ransomware attack, attributed to the Phobos ransomware, impacted various federal agencies, including the Federal Tax Administration (FTA).

In early November, Concevis, a Basel-based software company, fell victim to a ransomware attack, encrypting all servers.

The attack, publicized by Concevis and the Swiss National Cyber Security Centre (NCSC), exposed a massive data breach in Switzerland, reportedly including sensitive information from US clients at Swiss banks.

The attackers demanded a ransom and threatened to publish the data on the darknet when Concevis refused to pay. The first fragments from the massive data leak are now said to have surfaced on the darknet.


The attack targeted Concevis and affected multiple organisations, including municipal authorities, the Federal Offices for Civil Protection, Spatial Development, Statistics, Civil Aviation, and the Swiss Armed Forces Training Command.

The breach reportedly includes highly sensitive information such as names, passport details, and account numbers of US clients at Swiss banks. Ongoing investigations aim to determine the extent of the impact on these organisations.


In response to the cyberattack, Concevis in collaboration with the Swiss National Cyber Security Centre (NCSC), took immediate steps to address the incident.

The ransomware attack, which became public in mid-November, led to the encryption of all Concevis servers. This prompted an acknowledgement of “an extensive outflow of data.”

In order to protect customers and potentially affected data, Concevis initiated criminal proceedings with the Basel-Stadt public prosecutor’s office. The company also enlisted the help of an external security service provider. Additionally, they engaged with an IT security service provider to continuously monitor relevant forums and track potential data leaks.

In tandem with the ongoing investigation, Concevis informed its clients, including municipal authorities and various administrative units of the Federal Administration, about the cyberincident.

While clarifications are underway to determine the specific units and data affected, Concevis mentioned that federal systems are unlikely to be compromised based on current analyses.

The NCSC actively coordinates with Concevis, prosecution authorities, and the affected administrative units to implement necessary measures within the Federal Administration. As the investigation progresses, the NCSC is committed to keeping the public informed of any developments.

About the Ransomware

The attackers used the ransomware Phobos, which is currently among the top 5 most frequently used encryption Trojans, according to the German Federal Criminal Police Office.

The cybercrime group 8Base, known for its activity since the summer, is associated with the ransomware Phobos. While 8Base operates its own leak page on the Tor network, they have not claimed responsibility for the Concevis attack

Another Attack Impacting Swiss Federal Units

The Concevis incident is not the only recent attack impacting the Swiss federal units. On June 8, 2023, the IT company Xplain, a Swiss provider of government software, fell victim to a ransomware attack.

The incident impacted several Swiss federal and regional government departments, as well as the army, customs, and the Federal Office of Police (Fedpol).

The BlackSuit ransomware carried out the attack. After encrypting stolen data, the attackers posted it on the darknet. Xplain then notified the NCSC and reported the criminal offense to the Bern Cantonal Police.

In response to the incident, the Federal Council approved an investigation order on August 23, 2023. The investigation is ongoing, and there are no further details about it.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.