Cyber Incident Victim: Commune de Bex

On or around Sunday, June 4, 2023, the Commune of Bex in the canton of Vaud, Switzerland, fell victim to a cyberattack. The assault targeted the municipality's information technology systems, resulting in a significant encryption of data. The incident was officially discovered and confirmed the following day, Monday, June 5, 2023. In immediate response to the discovery, the municipal authorities established a crisis cell to manage the situation. This action was taken in close collaboration with the Vaud Cantonal Police, initiating a coordinated effort to address the security breach from both a technical and a judicial standpoint. The primary impact of the attack was felt through the immediate operational disruption; the commune's administrative services were forced to function at a severely reduced capacity, significantly slowing down municipal activities.

The initial phase of the response involved isolating the compromised computer systems as a precautionary measure to prevent any potential further spread or damage from the attack. This isolation was a critical containment step taken to secure the environment. Throughout Tuesday, June 6, and Wednesday, June 7, technical and judicial investigations continued in earnest. The commune cooperated with a range of external experts to support these efforts. This included specialists from the operational security center (SOC) of the Canton of Vaud's General Directorate for Digital and Information Systems (DGNSI), demonstrating the involvement of cantonal-level cybersecurity resources. Furthermore, the municipality engaged an external specialized partner to bring additional forensic and recovery expertise to bear on the incident.

In its first official situation report published on the afternoon of Wednesday, June 7, the Commune of Bex provided a preliminary assessment. The administration confirmed that while its activities were maintained, they were being conducted at a slowed pace due to the ongoing IT outage. The municipality also publicly addressed the concern of data theft, a common consequence of such attacks. Officials stated that while they believed the probability of a data theft was reduced, they could not definitively exclude the possibility at that early stage. This uncertainty was a key point of concern for both the administration and the citizens it serves.

The recovery process began to show tangible progress by Thursday, June 8, 2023. On that date, the municipality's IT systems were progressively and successfully brought back online. This marked the start of the restoration phase, following the initial analysis and containment period. The technical teams worked diligently to restore data from available backups with the clear objective of achieving a full and gradual resumption of all IT activities, which was targeted for the following Monday, June 12. This indicated a week-long period of severe disruption to the commune's digital infrastructure from the time of the attack's discovery.

By Tuesday, June 13, the Commune of Bex issued a more comprehensive update, indicating a significant step towards normalcy. The additional digital investigations conducted in the intervening days had yielded a crucial finding: the authorities were able to rule out a mass data theft. This determination provided considerable relief, suggesting that the attackers' actions were likely limited to encryption for the purpose of extortion rather than the exfiltration of sensitive citizen or administrative information. Despite this positive development, the formal procedures associated with a major data breach were initiated. The relevant data protection authority, the Autorité de protection des données et de droit à l'information (APDI), was notified of the cyberattack. The municipality also planned to make a formal announcement to the APDI at a later date, adhering to regulatory obligations.

From a legal perspective, the Commune of Bex filed a criminal complaint against unknown persons with the competent judicial authority. This formal step engaged the legal system in the pursuit of the perpetrators and underscored the seriousness with which the incident was treated. The penal investigation continued beyond June 13, sustained through the ongoing collaboration with the involved cybersecurity experts from both the canton and the private sector. The management structure for the incident also evolved at this point. The initial crisis cell, which had been rapidly established on June 5, formally handed over its responsibilities to an accompanying cell. This new cell was to be piloted directly by the Municipality of Bex, signaling a transition from emergency response to a longer-term recovery and monitoring phase.

The overall impact of the incident was primarily operational and financial, stemming from the necessary shutdown and subsequent restoration of IT services. The encryption of data rendered systems unusable, directly causing the slowdown in administrative functions. While the fear of a major data breach loomed large initially, the final assessment that a mass theft did not occur mitigated what could have been a far more severe privacy impact on the commune's residents. The response was characterized by a methodical and coordinated approach, leveraging internal resources, cantonal support from the Vaud DGNSI's SOC, and external private-sector expertise. The engagement with law enforcement and data protection authorities followed established protocols for such incidents. The municipality maintained public communication throughout the process, acknowledging the disruption and expressing gratitude for the population's understanding and patience during the challenging period of recovery.