Cyber Incident Victim: Unico Data AG
Date:
May 2023
Location:
Switzerland
Summary
A ransomware attack targeted the IT service provider Unico Data AG, causing widespread disruption for its numerous clients. The incident, attributed to the Play cybercrime gang, forced the company to shut down all its systems. The attack severely impacted a diverse range of businesses and public institutions, including a cinema chain, a tool manufacturer, municipal administrations, and a healthcare group. This led to operational interruptions, with services like online ticket sales becoming unavailable and internal systems requiring a gradual restoration process.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 27, 2023, the Bern-based IT service provider Unico Data AG suffered a significant ransomware attack. The incident was first detected by the company's IT personnel during the night spanning Saturday, May 27, to Sunday, May 28. The attackers, identified as the Play ransomware group, strategically initiated the encryption attack outside of standard business hours, specifically over the Pentecost weekend, to maximize its impact and evade immediate detection. A clear indicator of the threat actor's involvement was the ".play" file extension found on encrypted data, a signature previously associated with this cybercriminal group. The Play group later claimed responsibility for the attack, publicly mocking their victims on their data leak site on the darknet on June 2, 2023.
Unico Data AG, operating from Münsingen with approximately 75 employees, served over 100 customers, primarily small and medium-sized businesses (SMEs) as well as larger companies and state institutions, with a strong concentration in the Bern region. As a Managed Service Provider (MSP), the company offered comprehensive IT services, including hosting "Software as a Service" (SaaS) applications from its data center for its clientele. The nature of its business model meant the attack on its centralized infrastructure had immediate and severe cascading effects on its extensive customer base. In response to the intrusion, Unico Data was forced to shut down all of its systems to contain the threat, which resulted in a complete cessation of its provided services.
The consequences of the system-wide shutdown were severe and widespread, impacting numerous private firms and state institutions that relied on Unico Data's services. The Swiss cinema chain Pathé was severely affected, necessitating a public announcement on its website that online ticket sales were suspended until further notice. This disruption affected Pathé's locations in Basel, Bern, Dietlikon, Ebikon, Geneva, Lausanne, and Spreitenbach. The Swiss tool manufacturer PB Swiss Tools, based in Wasen im Emmental, also experienced operational disruptions. The company's managing director, Eva Jaisli, confirmed the impact but assured that production could be maintained in shift operations, though she requested patience from customers.
The municipal administration of the Bernese commune of Rüegsau was thrown into a state of exception as its IT system, managed by Unico Data, was rendered inoperable. Local officials informed residents that the community's data processing systems were out of service, leading to significant delays and disruptions in municipal operations. The Boess Group, a Bern-based firm specializing in electrical engineering services with 13 locations across Switzerland, also confirmed it was among the affected organizations. Other impacted entities included the Rugenbräu AG brewery in Interlaken and the Depot Zollikofen, both of which reported being only reachable to a limited extent.
A major client, the Siloah Group in Gümligen, a leading integrated provider of medical care in geriatric medicine for the Bern region, was also severely impacted by the IT system shutdown. The institution, which employs approximately 870 staff across multiple sites and operates 95 hospital beds and 270 nursing home beds, had its systems rendered inoperable. Martin Gafner, President of the Siloah Foundation and the Siloah AG board, acknowledged the difficult situation but emphasized that patient safety was guaranteed at all times despite the IT outage. He reported that employees were actively testing the systems to restore functionality, indicating the group was among the larger customers of Unico Data AG.
The response to the incident was initiated immediately upon its discovery. Unico Data's management, including Geschäftsführer (CEO) Vince Lehmann, confirmed the ransomware attack to the media. The company worked in collaboration with the relevant authorities to restore its IT systems, as stated in a media release issued on Thursday following the attack. The restoration process was described as ongoing, but the company could not provide a definitive timeline for when full system functionality would be restored. Email communication remained temporarily impossible. Unico Data established a dedicated section on its website to provide customers and the public with updates on the progress of containing the cyberattack and restoring services.
The managing director of Unico Data was quoted in media reports stating that the affected IT systems would be brought back online gradually over the coming days and weeks. This indicated a protracted recovery process for all clients, who were advised to expect continued disruptions. The attack demonstrated the high-risk vulnerability inherent when a single central service provider for numerous entities is compromised, leading to a multi-sector operational crisis across a significant geographic region. The incident highlights the disruptive potential of ransomware attacks on critical service providers and the extensive collateral damage inflicted on their downstream customers.