Cyber Incident Victim: Epicentre
Date:
Feb 2023
Location:
Switzerland
Summary
A cyberattack targeted a server at Epicentre, a swimming and leisure center in Romont, resulting in unauthorized access and theft of personal data. Approximately 380 client photos were subsequently published online, though other sensitive user information did not appear compromised. The organization, which serves around 10,000 clients, activated a crisis unit collaborating with cantonal police to analyze the breach and directly notify affected individuals. A criminal complaint was filed for illicit system access and data theft. The incident impacted a subset of users, with response efforts focused on containment and victim communication.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around February 1, 2023, Épicentre, a swimming and leisure center in Romont, Switzerland, operated by the Association du Cycle d’Orientation de la Glâne (COG), experienced a cybersecurity incident involving unauthorized access to one of its servers. An external party exfiltrated personal data belonging to approximately 380 clients and subsequently published the stolen information online. The COG confirmed the breach in a public statement released that evening, disclosing that the compromised data consisted primarily of customer photographs. While Épicentre maintains a client base of roughly 10,000 individuals, initial assessments indicated no evidence that other categories of sensitive user information—such as financial records, contact details, or identification documents—were extracted during the intrusion. The organization emphasized this distinction in its communication to contextualize the scope of the data exposure.
Upon discovering the breach, Épicentre activated a crisis management unit in coordination with the Cantonal Police to conduct forensic analysis of the compromised systems, identify the affected individuals, and implement incident response protocols. The stolen dataset’s publication on the internet prompted direct notification efforts targeting the 380 clients whose photos were disseminated. Legal proceedings were initiated by the COG, which filed a criminal complaint for unlawful access to a computer system and data theft under relevant Swiss statutes. The incident exposed operational vulnerabilities in Épicentre’s data storage practices, particularly concerning the server housing customer photographs, though the organization’s public statements did not specify technical details of the attack vector or intrusion methodology. While the breach’s direct financial impact remained unquantified in available disclosures, the event carried reputational consequences for the leisure center, necessitating public transparency measures to address client concerns and regulatory obligations under Swiss and European data protection frameworks.