Cyber Incident Victim: Rolle, Switzerland
Date:
May 2021
Location:
Switzerland
Summary
A ransomware attack compromised the municipal systems of Rolle, Switzerland, initially dismissed by local officials as minor and affecting only non-sensitive email data. Subsequent investigations revealed a significant breach exposing highly sensitive personal information of the entire population, including names, addresses, birth dates, social security numbers, residency permits, religious affiliations, school records with grades, COVID-19 infections among children, employee performance evaluations, and some criminal records. The municipality admitted underestimating the attack's severity and the dark web's risks, acknowledging the exposed data's potential misuse. A criminal complaint was filed, and a taskforce established to manage the crisis.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 30, 2021, the municipal government of Rolle, Switzerland, detected a ransomware attack compromising administrative servers. Initial assessments by town officials characterized the incident as limited in scope, with Administrative Chief Monique Choulat Pugnale publicly describing it as “a weak attack” affecting only email servers that purportedly contained no sensitive municipal data. The town asserted that minimal data had been compromised and that all affected systems had been restored from backups. This early communication, occurring within days of the attack’s discovery, emphasized operational recovery and downplayed potential risks to residents.
Subsequent investigations by Swiss media outlet Le Temps, published on June 2, 2021, revealed the attack’s extensive severity. An unnamed cybersecurity expert located on the dark web identified thousands of exposed municipal documents within 30 minutes of searching, contradicting official statements. These records included comprehensive spreadsheets containing personal data of all 5,400 residents, such as full names, addresses, dates of birth, social security numbers, and residency permit details for non-Swiss nationals. Additional compromised materials encompassed religious affiliations, school records with student grades, COVID-19 infection reports for children, employee performance evaluations, and partial criminal histories. Faced with this evidence, the Rolle municipality issued a revised statement on June 2 acknowledging it had “underestimated the severity of the attack” and exhibited “naivete towards the stakes when dealing with the dark web.” The town filed a criminal complaint and established a dedicated taskforce to manage the crisis, though it did not publicly specify remediation steps for affected individuals or disclose technical details regarding the ransomware’s entry vector or encryption mechanisms. The exposure of highly sensitive demographic, educational, and health information represented a systemic breach of resident privacy with potential long-term identity theft and discrimination risks.