Cyber Incident Victim: Canton of Vaud

The Canton of Vaud municipality of Yverdon-les-Bains disclosed a data breach on January 1, 2024, involving an external provider for its energy services department. Investigations revealed approximately 12,300 individuals and legal entities had their contact and billing information compromised. The breach exposed names, addresses, telephone numbers, and financial account details stored by the third-party vendor. Municipal authorities initiated direct mail notifications to all affected parties, with letters scheduled for delivery in the days following the announcement. No technical details regarding the breach mechanism, intrusion timeline, or attacker identity were disclosed in the public statement. The incident represented a systemic supply chain vulnerability, as the municipality's reliance on external providers created an attack surface beyond its direct control.

Exposed data created multiple secondary risk vectors for victims, including targeted phishing campaigns via email and SMS, fraudulent phone calls impersonating legitimate institutions, and credential-stuffing attacks against online accounts. Attackers could combine stolen contact details with publicly available social media information to facilitate identity theft or financial fraud. The municipality coordinated its response with the Cantonal Cybersecurity Intervention Force (CSIRT), emphasizing threat monitoring rather than technical remediation steps. Public communications focused exclusively on breach notification and risk awareness, omitting specifics about containment measures taken with the affected provider. Impact assessments remained preliminary, with no confirmation of actual misuse of stolen data at the time of disclosure.