Cyber Incident Victim: Stadt Baden

In late May or early June 2023, the city of Baden, Switzerland, fell victim to a significant cyber incident. The breach was first brought to public attention when FDP city councillor Mark Füllemann raised a question in June 2023 regarding the security of citizen data stored by the city council. The full scope of the incident, however, became apparent several months later. In the last week of October 2023, a user named "dragonforce" began offering data from the Aargau city for download on a hacker forum. The user had registered the account on October 29, 2023, indicating the public release of the stolen information was a recent action following the initial compromise.

The data published online constituted a partial copy of the city's central administrative database. The available dataset was a 3-gigabyte file, described as being part of a larger database. The entire database could not be reconstructed from the published material because other parts were missing. The excerpt that was released contained a vast array of sensitive information pertaining to the city's administration and its citizens. This included various tables with the names and addresses of residents, with one table alone containing over 24,000 entries. The stolen data also contained parts of the city's budget from 2013 to 2023, information on municipal investments—such as the secondary school center—and receipts for various products like vignettes and towels with the Baden logo. Furthermore, the dataset included invoices sent to citizens, payment reminders, sections of accounts payable, and details regarding the cremation of deceased individuals, including when they were cremated.

Evidence within the data itself confirmed its authenticity and indicated it was current. An entry bearing the date September 10, 2023, demonstrated that the information was recent and had been created just months prior to the public release. Analysis of the published data allowed for a reconstruction of what the complete database would contain, revealing the potential scale of information that could have been compromised. The structure pointed to the existence of several thousand tables containing information on a wide range of municipal functions. These included the dog registration register, details on the city budget, childcare information, data on municipal real estate, donations to associations, and the voting register. The only major category of data not stored in this system appeared to be tax information, which was held in a separate system.

The exact method of initial intrusion remained undetermined at the time of the public disclosure. The city's media spokesperson, Nicole Meier, stated that the data leak was presumably due to an older security vulnerability. She confirmed that in the months leading up to November, the city had closed various security gaps and implemented security measures. Analysis of the published material provided some clues about the attack vector. Various scripts for data import that were also released alongside the database excerpt suggested that the attackers likely did not gain direct access to the live, central database. Instead, the evidence pointed toward the theft of a backup copy of the data. It remained unclear whether the hackers had stolen the entire database or only the partial copy that was eventually published. The city could not confirm if additional data had been exfiltrated.

The identity and motivation of the threat actor behind the attack were not conclusively established. The user "dragonforce" who published the data did not respond to a written inquiry from NZZ asking if they possessed further data. While "DragonForce" is also the name of a known Malaysian hacktivist group, the logo associated with the forum user was different, and the known group had not claimed responsibility for the attack. This suggested the name was likely a coincidence and that two separate actors were involved. No ransom demand was received by the city, ruling out a straightforward ransomware attack as the primary motive at that stage. The "dragonforce" account engaged in widespread activity, publishing new datasets from various companies around the world almost daily since its creation, including an American emblem manufacturer and the Singaporean subsidiary of Coca-Cola, indicating the actor was engaged in a broader campaign beyond the attack on Baden.

The impact of the incident was severe due to the highly sensitive nature of the exposed information. The compromise of personal addresses, financial documents, and even details related to cremations represented a significant violation of citizen privacy and data protection standards. The potential for this information to be misused for fraud, phishing campaigns, or other malicious activities was a major concern. The breach affected the core administrative data of the municipality, touching nearly every aspect of city operations except for tax collection.

The city's response involved immediate investigation and assessment. Upon discovery of the data publication, the city initiated a process to determine the pathways that led to the data leak. Meier stated that their technical experts were investigating the various possible routes that could have led to the publication of the data. A significant complicating factor in the response and investigation was the shared IT infrastructure between the cities of Baden and Aarau. Since 2019, the IT infrastructure for both municipalities had been jointly managed. This raised the immediate question of whether data from the city of Aarau was also compromised in the attack. The city spokesperson could not provide any information regarding this potential collateral damage, stating that investigations were ongoing to determine the full scope of the breach across the shared systems. The incident remained under active investigation by the city's technical experts to ascertain the complete entry point, the total volume of data exfiltrated, and the full impact on both Baden and Aarau.