News portal swissinfo.ch (SWI) wrote that this news first surfaced on the Rundschau Swiss public TV program broadcast on SRF (Swiss Radio and Television.) The SRF portal released a report entitled “Data leak at SBB: Swisspass data openly visible” on January 24th, 2022.
Vulnerability Has Caused a Super Meltdown for the SBB
The massive data leak comprising the customer data of around 500,000 people affecting Swiss Federal Railways (SBB) has been described as a “super meltdown for the SBB” by Otto Hostettler, an internet crime expert. The SBB news portal confirmed that the vulnerability was a “data outflow” issue detected on the “NOVA” local transit system. NOVA is the first of its kind in Europe and allows travelers in Switzerland an all-in-one efficient solution to travel unhindered on multiple modes of transport.
Reinstatement of an old mechanism caused the vulnerability
According to the SBB, the reinstatement of an “old mechanism” in December 2021 was a mistake and created a vulnerability. This old mechanism was enabled to allow easier subscription renewals.
Such a Leak Could Be Potentially Catastrophic
Hostettler added that such leaked data has great potential for abuse which could, for instance, be sold on hacker forums on the dark web. In addition, if the stolen data is supplemented with other stolen data, such as personal credentials or account information, this could have a domino effect and allow cybercriminals to launch personalized attacks on high-profile individuals like politicians or CEOs.
Which Information Was Leaked?
The leaked information included passengers’ names, dates of birth, the numbers of their first and second-class tickets, and departure and destination information. As a result, practically the entire public transport system of Switzerland is affected by this security incident.
Sensitive data was open to the public
The IT expert who accessed the files over the holiday season emphasized that private customer data was practically public and easily accessible, even to someone without specialist IT knowledge.
IT expert did not have malicious intentions
The IT expert explicitly stated: “I’m not a criminal. I want to raise awareness of data protection.” He also remarked that he did not harm any SBB customer in this process and has since deleted the one million data sets he has downloaded.
Security Issues Have Been Resolved
The vulnerability has since been closed by the SBB and customers were not compromised from the data leak. Unauthorized retrieval of such data is no longer possible. The issues have been reported to the Federal Data Protection Commissioner and a formal apology has been issued to all transport customers on behalf of Alliance SwissPass and the SBB.
Not the First Time the Swiss Have Been Compromised
Switzerland, with its picturesque hushed landscapes and green pastures, is not a nation known for being on the news for any incidents. It is a nation known for its historical neutrality and is one of the most developed European nations. However, the risk of cybercrime knows no bounds as clever hackers will exploit the tiniest door left unguarded. This was apparent in the recent Swiss Red Cross hack, as well as cyber attacks on Swiss municipal databases in Rolle and Montreux, Switzerland. No nation is completely impervious to ransomware. As such, the Swiss have also had their fair share of ransomware woes between 2020 and 2021 when 2,700 companies were compromised.