Ransomware (Phobos)

Concevis Ransomware (Phobos)

In November 2023, the Swiss government software provider Concevis fell victim to a ransomware attack. Sensitive federal and cantonal data ended up on the darknet.

Concevis Ransomware (Phobos)

What happened?

In early November 2023, Concevis AG — a Basel-based software company developing specialised applications for Swiss authorities — fell victim to the Phobos ransomware variant. The attackers encrypted the company’s servers and exfiltrated large volumes of data, which were subsequently published on the darknet.

The incident became public on 10 November 2023 when the federal government confirmed that federal administration data was also affected. Concevis AG had access to sensitive datasets of several federal offices, including the Federal Tax Administration (FTA) and the Federal Statistical Office (FSO).

The attack was a textbook example of a supply chain attack: the federation itself was not hacked, but an external service provider through which the attackers indirectly accessed federal data.

Who was affected?

  • Federal Tax Administration (FTA): Tax data of private individuals and companies potentially compromised
  • Federal Statistical Office (FSO): Census data and statistical surveys affected
  • Federal Office of Civil Aviation (FOCA): Aviation and safety data
  • Armasuisse: Swiss Army procurement data
  • Multiple cantons and municipalities using Concevis software
  • Thousands of private individuals whose tax and personal data ended up on the darknet
  • Concevis AG itself, which had to massively curtail its business activities after the incident

The National Cyber Security Centre (NCSC) took over coordination and classified the incident as one of the most serious cyber incidents in the history of the Swiss federal administration.

How large was the damage?

Conservative estimates suggest a total damage of CHF 10–30m, distributed across all affected parties:

  • Concevis AG: Existentially threatening damage — IT restoration, customer loss, massive reputational damage
  • Federation and cantons: Millions in costs for forensic analysis, data protection assessments and preventive measures
  • Affected citizens: Risk of identity theft through published tax data
  • Political damage: Parliamentary motions, loss of trust in digital administration

Cost analysis and insurance coverage

Cost itemEstimated costCovered by cyber insurance?
Incident Response & ForensicsCHF 500,000–1mYes – immediate specialist support
System restorationCHF 1–2mYes – IT rebuild covered
Notification of affected personsCHF 200,000–500,000Yes – regulatory obligation
Data protection legal adviceCHF 500,000–1mYes – legal protection included
Third-party liability (federation/cantons)CHF 3–10mYes – cyber liability component
Third-party damage claimsCHF 1–5mYes – third-party coverage
Business interruptionCHF 500,000–1mYes – revenue loss coverage
Crisis communication & PRCHF 200,000–500,000Yes – frequently included
FDPIC fineCHF 0–500,000Partially – depends on policy
Reputational damage & customer lossCHF 5–10mNo – long-term, unquantifiable
Estimated total damage (Concevis)CHF 12–32m~50–70% potentially covered

A cyber insurance policy with adequate coverage (CHF 10–20m) could have been crucial to Concevis’s survival. The liability component towards government clients would have been particularly important.

Lessons for Swiss SMEs

  1. IT providers as risk factor: If your software vendor is hacked, your data is affected. Check whether your IT partners have adequate security measures and cyber insurance.

  2. Liability risks as a provider: If you provide software or IT services for other companies, you are liable for data losses. Cyber insurance with a liability component is essential.

  3. Phobos is dangerous for SMEs too: The Phobos ransomware specifically targets smaller companies. As a Ransomware-as-a-Service (RaaS) model, it is accessible to less sophisticated attackers.

  4. Data sensitivity matters: Companies handling particularly sensitive data (tax, health, personal records) carry elevated risk and should adjust their coverage accordingly.

  5. Contractual protection: Clarify in your contracts with IT providers who is liable in the event of a cyber attack. Your own cyber insurance protects you regardless of your provider’s ability to pay.

  6. Regular audits: Regularly review the security standards of your IT partners. Certifications like ISO 27001 are a good indicator but no guarantee.

Get a free consultation. The specialists at BTAG Versicherungsbroker AG in Bern understand the particular risks of IT service providers and companies with sensitive customer data.

Have questions about cyber insurance?

Our partners at BTAG are happy to advise you — free and with no obligation.

Learn more Or calculate your costs first

A service of BTAG Versicherungsbroker AG, Bern — independent advice since 1990.

BTAG Versicherungsbroker AG Mitglied SIBA FINMA Register-Nr. 12229
Contact us →