The embarrassing IT security weak spot in the Swisscard system, which has since been fixed, was reported to the Rundschau programme on Swiss public television, SRF, recently.
The information included the names of the travellers, their date of birth, the number of first- and second-class tickets purchased and the place of departure and destination.
The hacker told Rundschau that the recent attack required no specialist IT knowledge: “The sensitive data was practically public on the internet.” The data was never made public and has been returned to Swiss Railways. The hacker said they had no criminal intent but merely wanted to expose the problem.
The Federal Data Protection Commissioner was informed of the security breach. “This is a huge meltdown for Swiss Railways,” Otto Hostettler, a journalist and author specialising in internet crime, told Rundschau. “Such data can be sold in hacker forums on the dark web. In the wrong hands it would have great potential for abuse.”
This has been demonstrated by hacks into Swiss municipal databases in recent months, including the towns of Montreux and Rolle in western Switzerland. The group that hacked the Rolle database posted information on the dark net and warned it could attack other towns, companies or hospitals
Swiss news magazine Beobachter reported that 2,700 Swiss companies fell victim to ransomware hacks between August 2020 and August 2021. An article in Le Temps newspaper in December estimated that around 2,000 ransomware attacks targeted Switzerland last year.