Cyber Incident Victim: Service de la Curatelle

On or around Saturday, April 8, 2023, the Service officiel de la curatelle (SOC) located in the commune of Saxon, Valais, Switzerland, was targeted by a cyberattack. The incident was publicly confirmed by the Valais cantonal police in a communiqué issued on Friday, April 14, 2023. The police characterized the attack as a ransomware incident, a type of malicious software designed to block access to a computer system until a sum of money is paid. In this case, the attack vector allowed the threat actors to successfully infiltrate the organization's information technology service. The primary objective of the intrusion, as stated by authorities, was data theft. The attackers were able to penetrate the system and exfiltrate data from the curatorship service.

The Service officiel de la curatelle serves as the competent authority when a mandate is addressed to professional curators for the communes of Saxon, Fully, Leytron, Riddes, and Isérables. Its function involves handling sensitive legal and financial matters pertaining to guardianship and trusteeship, implying that the stolen data likely included confidential personal and financial information relating to the individuals under the service's care. The exact nature, scope, and volume of the data compromised were not immediately known following the discovery of the breach. A formal investigation was launched by the Valais cantonal police to determine these critical details. The police investigation specifically aimed to ascertain the precise nature and full extent of the data that was stolen and to identify the specific methods and tools employed by the attackers to carry out the breach.

In the immediate aftermath of the attack, the organization and law enforcement adopted a stance of limited public disclosure. The police communiqué explicitly stated that no further information would be provided at that initial stage, a common practice intended to preserve the integrity of the ongoing investigation and to avoid providing strategic advantages to the perpetrators. Pascal Fournier, the director of the Service officiel de la curatelle, confirmed in a statement to the Keystone-ATS news agency that this was the first time his service had ever fallen victim to such an cyberattack. Director Fournier echoed the police position, stating he could not provide any additional information or commentary at that early point in the process. This indicates the incident was a novel and significant event for the organization, necessitating a careful and measured response.

The impacts of the incident are directly tied to the nature of the organization's work. As a legal custodian service, a ransomware attack and confirmed data theft represent a severe breach of confidentiality and a potential violation of the privacy of the vulnerable individuals it serves. The immediate operational impact would have included the disruption of IT systems, potentially halting or severely hindering the administration of ongoing curatorship cases. The long-term consequences involve the risk of the stolen sensitive data being misused, which could lead to secondary crimes such as fraud or identity theft against the affected individuals. The reputational damage to the service, built on trust and confidentiality, is another significant consequence. The response actions were initiated swiftly. The primary response was the engagement of law enforcement, with the Valais cantonal police taking lead on the criminal investigation. The focus of this investigation was forensic, aiming to trace the attack methodology and identify the perpetrators while also working to definitively catalog what specific data sets were accessed and copied. Internal organizational response would have included steps to contain the breach, isolate affected systems to prevent further spread of the ransomware, and begin the process of recovery and restoration of services from backups, though these specific internal technical measures were not detailed in the public reports. The public communication strategy was deliberately minimal, providing only a basic confirmation of the incident without speculation on its details, a approach intended to manage public concern while the investigation proceeded.