Cyberattack on Red Cross compromised sensitive data on over 515,000 vulnerable people

The International Committee of the Red Cross has revealed that hackers have stolen data on over 515,000 "highly vulnerable people," recipients of aid and services from at least 60 affiliates of the charitable organization worldwide.

During the investigation into the extent of the attack, which targeted a contractor in Switzerland that was storing the data, the Red Cross has been forced to temporarily halt a program that reunites families torn apart by violence, migration or other tragedies.

The biggest concern is that the hackers will ransom, leak or sell sensitive information on the families and their locations to bad actors who might seek to cause further harm to victims. The Red Cross says it typically reunites 12 missing people with their families every day, work that will be interrupted for fear of further danger.

The aid organization, known for its role in armed conflicts, on Wednesday pleaded directly with the hackers in a statement to keep the data confidential.

"The real people, the real families behind the information you have now are among the world's least powerful," said Robert Mardini, the ICRC's director-general. "Please do the right thing. Do not sell, leak, or otherwise use this data."

The Red Cross did not immediately attribute the attack to specific cybercriminals, terrorists or nation-state hackers, nor did it provide any information or speculation about potential motivation for the cyberattack on its contractor in Switzerland.

A spokesperson for the ICRC in Washington, D.C., Elizabeth Shaw, told NPR that "there have been no demands" from the hackers in exchange for stolen data, indicating that the breach was likely not a ransomware attack.

The Red Cross has partnered with "highly specialized firms" to help deal with what it's calling a "sophisticated" attack, Shaw said. "Our message is to underscore that real people, real families are behind the data and sharing, selling or using it has the potential to harm," she wrote in an email to NPR.

It's still unclear why the hackers accessed the information, particularly as they haven't communicated any demands. However, vulnerable people can make for ideal targets for other possible scams and extortion, while refugees can become political pawns in broader geopolitical conflicts. Aid organizations could be espionage targets as well. Both the United Nations and the State Department's Agency for International Development were breached in 2021.

The families themselves, already victims of conflict and suffering, will be separated from family members longer periods of time, now fearful that they could be vulnerable to having their personal information exposed. "This cyber-attack puts vulnerable people, those already in need of humanitarian services, at further risk," Mardini said.

Chris Painter, the president of the Global Forum on Cyber Expertise and the former top cyber diplomat at the State Department, told NPR the breach "highlights the human cost to hacking," rather than simply the financial cost to most companies and organizations that are victims of cyberattacks.

Similar to other sectors, the humanitarian community has benefited from advanced technology to more easily store data and improve response time in crises. However, those organizations don't always have the resources for advanced cybersecurity.

Niel Harper, the chief information security officer for the U.N. Office for Project Services, and Daniel Dobrygowski, the head of governance and trust at the World Economic Forum, wrote a piece earlier this week on why humanitarian organizations need to invest in cybersecurity — and why more well-endowed funders as well as tech companies should shoulder some of the cost. "Donors must view cybersecurity as critical to aid operations," they wrote.

Cybersecurity experts called for an international response to the cyberattack against the Red Cross.

"Exposing data of vulnerable people in the Red Cross database should be urgently addressed by international community and the perpetrators should be brought to justice," wrote Heli Tiirmaa-Klaar, the director of the Digital Society Institute in Berlin in an email to NPR. She previously served as Estonia's ambassador-at-large for cyber diplomacy.

"This is another grim reminder that cyber risks have real world consequences, and should be dealt with utmost care and responsibility," she added.