On 18 September 2013 the NZZ announced that its editorial office was in possession of four data tapes originating from Swisscom data centres. Swisscom immediately filed a criminal complaint against persons unknown. The NZZ went on to analyse the data further and published the names of a number of customers in a further article on 20 December 2013. In Swisscom’s opinion, the ongoing publication of such information and customer data served no public interest. To protect the interests of its customers, Swisscom demanded that the NZZ release and destroy the data still in its possession and refrain from publishing any further articles. Although the Berne Commercial Court has now overturned the injunction, it clearly states in its reasons for the judgement that any further piecemeal publication of information gained from these data tapes may constitute a breach of the Unfair Competition Act (UGW). During the proceedings for the immediately enforceable injunction, the NZZ emphasised that it would not disclose any more specific client data, which was an additional demand made by Swisscom.
In its press release of 18 September 2013, Swisscom stated that the stolen data tapes could contain customer information. An evaluation of the metadata on the stolen tapes has confirmed that they contained information such as the names, contact details and IBAN numbers of customers who pay by direct debit. Not all data sets were checked, however. Swisscom took the view that a comprehensive and time-consuming check of all data sets, which in total contain more than a terabyte of data, was not expedient given that the data carriers were returned to Swisscom or destroyed shortly after the NZZ article was published.
When the theft was announced, the NZZ was immediately asked to return the data tapes. The NZZ returned three tapes to Swisscom. According to the NZZ the other had been returned to its source, who had apparently destroyed it. It therefore appeared to Swisscom that there was no further danger of customer information being made public in an improper manner.
Swisscom immediately implemented measures designed to prevent a similar incident from happening again. Since 2012, data have been stored only on a variety of hard disks at distributed locations. Due to the fact that the data are distributed, each hard disk contains only individual fragments of data. It would therefore take a great deal of effort to extract any useable information from just one or a small number of hard disks. Additional measures have also been implemented to further increase security. These include the installation of a screening system (metal detector and X-ray) in the new data centre in Wankdorf.
Alte Tiefenaustrasse 6
Postfach, CH-3050 Bern
Tel. +41 58 221 98 04
Fax +41 58 221 81 53