“I advise open communication following a ransomware attack”

It happened in the course of a migration to a new system architecture: in spring 2023, cybercriminals successfully gained access to the old infrastructure of the Basel-Stadt Department of Education, apparently via a phishing e-mail. The attackers seized more than 1 terabyte of data and threatened to publish it on the dark web, which they then did. What was out of the ordinary for a ransomware attack of this nature, however, was that no data was encrypted.

The Department of Education of Basel-Stadt opted for an unusual response to the incident. Instead of paying the ransom, it openly informed both the individuals affected and the general public of the incident in the media.

Thomas Wenk managed the incident with the support of Swisscom’s CSIRT team. In this interview, he explains why open communication is important to him and how his IT background, including as the former Head of the Competence Centre for Digital Investigation Services with the Zurich police department, helped him manage the incident.

Thomas Wenk explains the benefits of open communication in incident response

It helped a lot. If you speak the same language and don’t have to explain anything, it speeds up the process. Our mutual understanding and trust made the investigations much easier. In addition, as the interface to the Department of Education management, I was able to translate the findings into their language.

On the other hand, it was good that I was not involved in the technology side of things and that the incident affected the old infrastructure that had been migrated. This gave me the distance necessary to deal with the incident.

We did of course discuss the possible consequences in advance. For us, however, it was clear from the outset that we would actively inform the public. Even if it was uncomfortable to stand up and explain what had happened. In cases such as this in particular, the canton citizens quite rightly expect transparency from us.

Companies need to ask themselves how long they want to be vulnerable to extortion and remain a ‘cash cow’. As a private individual, I can see why companies pay ransoms. It’s a business consideration: if recovering encrypted data is more expensive than simply paying the ransom, it’s a no-brainer from a business perspective. Even if it makes the company more interesting to other cybercriminals as a ‘paying customer’.

By going public, we have broken this cycle and demonstrated that we are no longer open to extortion. We did of course inform the necessary internal departments in advance.

It’s a simple calculation: what is the likelihood of the incident remaining secret? And if found out, how long will it take us to recover from the damage? Companies have to make such considerations. It is quite likely that questions will be asked, for example, if employees are suddenly required to change their passwords. That’s why I advocate open communication.

We work with various state bodies such as the NCSC, with whom we also communicated transparently. I hope that, through open communication, we can help an organisation that finds itself in a similar situation. I said it before in my position with the Zurich police department: people don’t like losing, so we have to learn how to lose. We have to learn to stand up and admit that we have fallen victim. We also have to talk about the failures and say what happened. This is the only way we can help stop it happening to others. That’s why more companies need to communicate openly.