Cyber Incident Victim: Kantonale Verwaltung
Date:
Feb 2025
Location:
Switzerland
Summary
Unauthorized actors gained access to a single email account belonging to the Säckelmeister Ruedi Eberle of the cantonal administration in Appenzell I.Rh. From that compromised account they sent messages to external recipients. The administration's security system detected the breach and halted further propagation, preventing any data loss or additional account compromises. The IT office launched immediate security measures, conducted an analysis, and notified all staff and the affected third‑party recipients.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On Thursday, 27 February2025, an unknown actor gained access to a single email account belonging to Säckelmeister Ruedi Eberle of the cantonal administration of Appenzell I.Rh. The intrusion was detected after the compromised account was used to send messages to third‑party recipients. The security monitoring in place identified the unauthorized activity promptly. No further details about the method of entry were disclosed in the source.
The cantonal administration’s installed security system halted any further propagation of the breach, preventing the attacker from reaching additional accounts or exfiltrating data. Subsequent investigation confirmed that no data had been lost and that no other accounts within the cantonal administration were affected. The Office for Information Technology immediately launched the required security measures and conducted a thorough analysis of the incident. All staff members and the third‑party recipients who had received the unsolicited messages were notified without delay.
As a result of the containment actions, the incident did not result in any lasting damage to the cantonal administration’s information assets. The administration confirmed that the breach remained isolated to the single mailbox and that normal operations continued unaffected. The communication to employees and external recipients completed the response process described in the report.