The canton has been aware of the data leak since November 2020. But he did not consider it necessary to inform the public.
In the Neugasshof rock bar, hard drives belonging to the Zurich judiciary were stored with sensitive data.
If there is one directorate in the administration of the Canton of Zurich that should be particularly sensitive to handling sensitive data, then it is the Directorate of Justice. She is responsible for the public prosecutor’s office, the prisons and the juvenile justice system.
If confidential information from these institutions falls into the wrong hands, this can have serious consequences. Apparently that is exactly what happened.
For years, IT equipment from the Department of Justice was not properly disposed of. Data on computer hard drives had not been erased or could easily be restored – and they ended up with various people in Zurich’s drug and sex milieu. This emerges from a question that the SVP cantonal council and milieu lawyer Valentin Landmann submitted together with Nina Fehr Düsel (SVP) and Yiea Wey Te (FDP) in parliament.
A man accused of trafficking hemp recently handed over 20 unerased hard drives to prosecutors, the request said. The data carriers contained psychiatric reports, dangerousness reports on suspects, cell phone lists from police officers and even documents on the planning of the new police and justice center.
Hard drives «found» in the bar
How does Landmann know that? The alleged hemp dealer is one of his clients, Roland Gisler. Gisler runs the Zurich rock bar Neugasshof in Kreis 5, which served as a drug hub for years. At the beginning of November, the High Court sentenced Gisler to an unconditional four-year prison term for gang and commercial violations of the Narcotics Act, depictions of violence and the violation of the Weapons Act. The judgment is not final.
According to the Tamedia newspapers, Gisler handed over the hard drives to the authorities at this process. The “Neugasshof” host states that the devices came to him through his brother. He disposed of discarded computers, printers and servers on behalf of the Justice Department. Gisler told the NZZ on the phone that “thousands” of devices had come together over the years. The brother was allowed to keep them as payment for his work.
He “found” the hard drives that Gisler handed over to the public prosecutor’s office in his bar, he says. The data that he discovered on the hard drives, he apparently made use of himself: As the “Blick” and the Tamedia newspapers write, Gisler is said to have threatened judges and prosecutors, called them on their mobile phones and visited them at their private residences. A new case was therefore opened against him.
Valentin Landmann says he made the data leak in the Justice Department public with Gisler’s consent. Landmann is not representing him in the new proceedings opened against Gisler because of a conflict of interest.
The SVP cantonal council is appalled at how the judiciary has handled confidential data for years. “Apparently all departments were affected,” says Landmann. «The hard drives were disposed of in a completely idiotic and amateurish way. You can’t just give them to a third party and hope they’ll erase those hard drives.” Confidential information has now “got into lots of places where they don’t belong”.
A criminal case is underway
In a written statement, the Justice Directorate dates the sloppy device disposal to 2006 to 2012. During this period, Markus Notter (SP) and Markus Graf (Greens) headed the Directorate. It is not yet clear what amount of data and what type of data has come into circulation, the statement said. The Directorate of Justice, which is now headed by Jacqueline Fehr (SP), writes: “It is conceivable that sensitive data is also affected.”
The incident has been known since November 2020. As a result, the General Secretariat commissioned an administrative investigation from external lawyers. The results have been available since the end of March 2021. The audit commission of the cantonal council, the cantonal data protection officer and the financial control were immediately informed about the suspicion and the administrative investigation – but not about the result, as the “Blick” writes.
A “data loss of this kind” has been ruled out for ten years. In 2013, the management redesigned its processes. Since then, the disposal of computer hardware has been carried out “according to professional and certified processes”.
Before the conclusion of the criminal proceedings, Fehr’s judiciary does not want to provide any further information. So it remains unclear for the time being why the government did not inform the public.
The canton is responsible
The cantonal data protection officer Dominika Blonski is aware of the data leak. As she confirmed to the NZZ, the canton reported it. This has been mandatory for 2.5 years. Blonski does not want to say when due to ongoing proceedings. It therefore does not comment further on the case, but provides general information on the subject of data destruction.
Authorities have two options for deleting hard drives: do it yourself or hire an external agency to do it. “When the job is outsourced, it usually goes to a company or person that’s certified for the job,” says Blonski. “This ensures that the right processes and standards are observed.” Data carriers can be overwritten, degaussed or shredded to erase their contents.
According to Blonski, the destruction of hard drives must always be logged. “And the client remains responsible.”
As an inquiry by the NZZ to the government shows, the data is now being deleted as described by Blonski. When hard drives are destroyed, the removable media would be handed over to an external partner who would shred them according to a DIN standard and confirm the process in writing, says government spokesman Andreas Melchior.
Regarding data destruction in a cloud, Melchior points out that data in the cloud is encrypted. «If they are no longer needed and deleted in an application, the data is also deleted in the cloud after a short transition period. That’s contractually agreed.”
Since spring 2022, the IT department has been gradually equipping the cantonal administration with a new digital workplace. According to Melchior, all hard drives are encrypted on these new devices; Clear data is no longer visible.
Meanwhile, Canton Councilor Valentin Landmann is demanding information from the government about how many hard drives and what content fell into the wrong hands. The governing council has three months to respond.
The data leak is now also being discussed at national level. The sub-commission of the business audit commission responsible for the judiciary is taking care of the matter, says its President Alfred Heer (SVP) to the “Blick”. Specifically, they want to find out to what extent the Federal Department of Justice and the Federal Office of Police are affected by the data leak, explains the Zurich National Council.