Neue Zürcher Zeitung NZZ was in possession of four data tapes that apparently originated from Swisscom’s data centres, the editorial office has informed the company. The records concerned are apparently backup files from 2008 to 2010 containing internal Swisscom data, including e-mails. It is still not clear to Swisscom whether customer data are also stored on these data carriers. Three tapes have already been returned to Swisscom and are in the process of being analysed. Data security takes top priority at Swisscom. As a result, the company immediately instigated legal proceedings against persons unknown and informed the Federal Data Protection Commissioner about the incident. Swisscom is doing its utmost to clarify the incident as fast as possible. It is currently assumed that it was motivated by criminal intent.
Four data tapes were handed over to the NZZ editorial team by a person unknown to Swisscom. According to the information currently available, the backup data contained on the tapes originate from two Swisscom data centres and contain backup copies from the years 2008 to 2010. According to details provided by the NZZ editorial team, these data tapes contain internal backup files, including e-mails from Swisscom employees. Swisscom received the tapes yesterday, Tuesday, and is working as quickly as possible to analyse their content. It cannot be ruled out at the present time that customer information is stored on the tapes.
Strict controls governing using and destroying storage media
The type of data tapes that have emerged at NZZ have not been used by Swisscom since 2012. Today, data are predominantly saved on hard disks. Swisscom has extremely stringent regulations governing the secure and sustainable disposal of such data carriers. Data carriers are only removed from the servers in accordance with the dual-control principle; this same procedure applies to storage in multiple-security-level disposal rooms. The transport of data carriers is also always subject to the dual-control principle. Data carriers are transported in a convoy with two escort vehicles before they are destroyed (shredded). External partner companies are also involved in this process. Since the beginning of 2012 hard disks are demagnetised – resulting in the data being deleted – prior to their disposal in the data centres. The procedure has been further reinforced in that all hard disks are inventoried and thus the route from usage to disposal can be traced back in full. The employees involved are specially instructed and trained for this work. The disposal procedure is also reviewed on a regular basis by an external company.
Swisscom instigated measures immediately
Swisscom has made it its top priority to clarify the incident. Not only has it commenced internal investigations, but it has also notified the Federal Data Protection Commissioner. Swisscom is working on the assumption that the data tapes were taken illegally and has therefore filed criminal charges against persons unknown with the public prosecutor in Bern-Mittelland. Swisscom has also instigated an in-depth review of the procedure used to dispose of data carriers in order to identify any potential weaknesses. In the meantime the NZZ has given three of the tapes back to Swisscom. A further tape has been returned by NZZ to its source. Swisscom is doing everything it can to retake possession of this missing tape.
In related media coverage, the Wall Street Journal reports:
Bern-based Swisscom said it became aware of the theft after four tapes were given to the Neue Zuercher Zeitung, a nationwide Swiss newspaper, which published a report about the tapes Wednesday.
The tapes contained 600,000 phone numbers, medical appointments and invitations to social events, according to the paper, as well as 14,500 emails from Swisscom employees, including details of contracts with the company’s private and business customers.
NZZ didn’t say how it obtained the tapes and didn’t respond immediately to requests for comment Wednesday.