Communication in connection with incident response

“I advise open communication following a ransomware attack”

Following a successful cyberattack on its IT infrastructure, the Department of Education for Basel-Stadt went on the offensive. The public were informed both about the attack and about the publication of confidential data on the dark web. In this interview, Thomas Wenk, Head of IT at the Department of Education, explains why organisations should adopt such openness more often.

Text: Andreas Heer, Pictures: Swisscom
1 December 2023

Learn more in this white paper about ransomware attacks and how companies can defend themselves against such attacks.

It happened in the course of a migration to a new system architecture: in spring 2023, cybercriminals successfully gained access to the old infrastructure of the Basel-Stadt Department of Education, apparently via a phishing e-mail. The attackers seized more than 1 terabyte of data and threatened to publish it on the dark web, which they then did. What was out of the ordinary for a ransomware attack of this nature, however, was that no data was encrypted.

The Department of Education of Basel-Stadt opted for an unusual response to the incident. Instead of paying the ransom, it openly informed both the individuals affected and the general public of the incident in the media.

Thomas Wenk managed the incident with the support of Swisscom’s CSIRT team. In this interview, he explains why open communication is important to him and how his IT background, including as the former Head of the Competence Centre for Digital Investigation Services with the Zurich police department, helped him manage the incident.

Thomas Wenk erklärt den Nutzen einer offenen Kommunikation in der Incident Response

Thomas Wenk explains the benefits of open communication in incident response

Thomas Wenk, how did your IT background and experience in cybersecurity influence your response to the incident?

It helped a lot. If you speak the same language and don’t have to explain anything, it speeds up the process. Our mutual understanding and trust made the investigations much easier. In addition, as the interface to the Department of Education management, I was able to translate the findings into their language.

On the other hand, it was good that I was not involved in the technology side of things and that the incident affected the old infrastructure that had been migrated. This gave me the distance necessary to deal with the incident.

In addition to communicating with the management, you also decided to go public with the incident. Why was that?

We did of course discuss the possible consequences in advance. For us, however, it was clear from the outset that we would actively inform the public. Even if it was uncomfortable to stand up and explain what had happened. In cases such as this in particular, the canton citizens quite rightly expect transparency from us.

You represent a public institution. It would appear that going public about such an incident is easier in your case than for a private company, which may have to contend with serious financial consequences as a result of the damage to reputation. What’s your take on that?

Companies need to ask themselves how long they want to be vulnerable to extortion and remain a ‘cash cow’. As a private individual, I can see why companies pay ransoms. It’s a business consideration: if recovering encrypted data is more expensive than simply paying the ransom, it’s a no-brainer from a business perspective. Even if it makes the company more interesting to other cybercriminals as a ‘paying customer’.

By going public, we have broken this cycle and demonstrated that we are no longer open to extortion. We did of course inform the necessary internal departments in advance.

However, many companies, especially in sensitive industries, apparently consider the risk and loss of reputation associated with open communication to be too high.

It’s a simple calculation: what is the likelihood of the incident remaining secret? And if found out, how long will it take us to recover from the damage? Companies have to make such considerations. It is quite likely that questions will be asked, for example, if employees are suddenly required to change their passwords. That’s why I advocate open communication.

Cybersecurity also relies on teamwork. In other words, companies are dependent on information about criminal actors from other organisations. To what extent does open communication following an incident facilitate such teamwork?

We work with various state bodies such as the NCSC, with whom we also communicated transparently. I hope that, through open communication, we can help an organisation that finds itself in a similar situation. I said it before in my position with the Zurich police department: people don’t like losing, so we have to learn how to lose. We have to learn to stand up and admit that we have fallen victim. We also have to talk about the failures and say what happened. This is the only way we can help stop it happening to others. That’s why more companies need to communicate openly.

About Thomas Wenk

Basel-born Thomas Wenk has been Head of the Department of Digitalisation and Computer Science at the Department of Education for Basel-Stadt since April 2021. Prior to that, he spent several years as Head of the Competence Centre for Digital Investigation Services with Zurich police department, working in areas such as digital forensics, cybercrime and Internet/dark web investigations. Wenk, who has a degree in Economics, had also previously worked as Head of the Central IT Services for the Canton of Basel-Landschaft.

Related articles