Cyber Incident Victim: Fondation de Verdeil

On Tuesday, August 8, 2023, the Fondation de Verdeil discovered it had been the victim of a cyberattack. The foundation is a major parapublic Vaudois institution providing specialized educational services to children and adolescents with various developmental and learning delays, disabilities, or difficulties. With 500 employees serving over 800 children and young adults from infancy to age 20, it is the largest such establishment in the canton of Vaud. In response to the incident, the foundation's management swiftly established a dedicated crisis cell to organize the response. Immediate emergency technical measures were taken to contain the breach, and a criminal complaint was prepared for filing with the authorities. Despite the attack, the foundation confirmed that its return to school would proceed as planned and that all its missions and activities would be maintained, ensuring operational continuity for its beneficiaries.

Technical analyses conducted in the immediate aftermath of the attack, as detailed in an update on August 18th, unfortunately confirmed the theft of files. While the exact nature of the stolen data was not yet known at that stage, the foundation took proactive steps to reinforce all measures aimed at securing its systems. A report was made to the data protection authority, and the process of drafting a criminal complaint was initiated. The foundation publicly warned that data accessed or stolen during the attack could potentially be used to send fraudulent messages, such as advertising spam, scam attempts, phishing emails, or communications containing malicious attachments. It recommended heightened vigilance to all parties if they received any suspicious message purporting to be from or referencing the Fondation de Verdeil.

Further investigation, as communicated on August 23rd, confirmed the exfiltration of data, though there was no possibility at that stage to determine the precise nature and volume of the information stolen. The foundation continued its investigative work with cybersecurity specialists, various cantonal services, and the police. As a preventative measure, the families of its beneficiaries, staff, collaborative partners, and suppliers were all informed of the situation. Internally, the dedicated crisis cell worked on preparing, acting, and communicating with the goal of achieving a return to normal operations as quickly as possible. The measures to secure the information system were deployed based on the results known from the ongoing technical analyses.

By August 24th, the foundation, with the support of specialists, the Cantonal Police, and concerned cantonal services, was preparing a specific protocol in case the stolen data was published on the darknet. The speed and volume of any potential publication were unknown at the time. This protocol, activated at noon on Friday, August 24, 2023, was designed to analyze the typology and sensitivity of any published data. Based on this assessment, actions aimed at preserving the security and integrity of potential victims could then be identified, organized, and deployed. Employees were informed of additional security measures they should take. The foundation reiterated that the school year had begun normally and that all of its missions were being maintained.

A significant development occurred on August 26th, when the foundation confirmed that data was being published on the darknet. Initial analyses of the published material were underway, though the necessary duration for this extensive task was declared undetermined. The foundation again called for the greatest vigilance from everyone for prevention purposes and emphasized that since the data was stolen, its download and use were illegal. The dedicated email address, [email protected], remained available to receive questions from concerned individuals. The continuity of the foundation's activities was repeatedly stated to be guaranteed throughout this period.

The criminal group behind the attack was identified as "NoEscape," a ransomware gang that first appeared in June 2023 and had, according to security experts, already claimed responsibility for 39 attacks by that time. The group claimed on their darkweb site to have stolen 40 gigabytes of data records from the Fondation de Verdeil. They alleged this data included medical letters, insurance documents, doctor's certificates, hundreds of photos of children, documents related to children, and many other sensitive pieces of information. The foundation officially confirmed the theft and publication of personal data concerning both its collaborators and beneficiaries on the darkweb. It publicly called for the greatest vigilance regarding the potential misuse of this data and directed affected individuals to take useful measures described on its website.

In line with official recommendations, the Fondation de Verdeil stated it did not yield to the blackmail attempted by the cybercriminals and did not pay any ransom. The general director, Corinne Noth, confirmed the incident was a ransomware attack where a server was encrypted. The operation, particularly in office areas and communication functions, was impaired initially, but normal operations had since been restored. The foundation had immediately engaged its IT service providers and security specialists, as well as the IT and security department of the Canton of Vaud. Authorities at the federal level and the cybercrime department of the Cantonal Police were also informed. The foundation was conscious of its responsibility as an educational institution and established a task force to manage the situation, committing to publishing continuously updated and transparent information on its website and to informing all the families of its students.