Red Cross ‘Appalled’ As Hackers Steal Humanitarian Data Of 515,000 People

A new low. International Committee of the Red Cross shuts down reunification system, after hackers steal data of 515,000 vulnerable people

The International Committee of the Red Cross (ICRC) has become the latest victim of a cyberattack, which has compromised the data of hundreds of thousands of vulnerable people.

The aid agency admitted in a post on Wednesday that it had detected a “sophisticated cyber security attack” this week against its computer servers.

The cyberattack on the Red Cross, Red Crescent data “compromised personal data and confidential information on more than 515,000 highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention.”

Appalled, perplexed

It said the data had originated from at least 60 Red Cross and Red Crescent National Societies around the world.

The ICRC said its most pressing concern was the potential risks that come with this breach – including confidential information being shared publicly – for people that the Red Cross and Red Crescent network seeks to protect and assist, as well as their families, adding that when people go missing, the anguish and uncertainty for their families and friends is intense.

“An attack on the data of people who are missing makes the anguish and suffering for families even more difficult to endure,” said Robert Mardini, ICRC’s director-general.

“We are all appalled and perplexed that this humanitarian information would be targeted and compromised,” Mardini added. “This cyber-attack puts vulnerable people, those already in need of humanitarian services, at further risk.”

The ICRC said there is no immediate indications as to who carried out this cyber-attack, which apparently targeted an external company in Switzerland that the ICRC uses to store data.

There is also not yet any indication that the compromised information has been leaked or shared publicly.

“While we don’t know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them,” said Mardini.

“Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering,” said Mardini. “The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”

The ICRC along with the wider Red Cross and Red Crescent network jointly runs a program called Restoring Family Links that seeks to reunite family members separated by conflict, disaster or migration.

Because of the attack, the ICRC said it has been obliged to shut down the systems underpinning its Restoring Family Links work, affecting the Red Cross and Red Crescent Movement’s ability to reunite separated family members.

It said it was working as quickly as possible to identify workarounds to continue this vital work.

“Every day, the Red Cross Red Crescent Movement helps reunite on average 12 missing people with their families,” said Mardini. “That’s a dozen joyful family reunifications every day. Cyber-attacks like this jeopardise that essential work.”

“We are taking this breach extremely seriously,” he said. “We are working closely with our humanitarian partners worldwide to understand the scope of the attack and take the appropriate measures to safeguard our data in the future.”

Pay us for stolen data

It should come as no surprise as hackers have sunk to increasing lows in the past few years as to what organisations they target, including hospitals and healthcare systems, even during the Coronavirus pandemic.

The attack was prompted reaction from the security industry, with some experts expressing hope the hackers will realise what they have done, and do the right thing and return the stolen data.

“On the 20th of Jan at 2 AM, CET, an advertisement was posted on a cybercrime forum alleging to have the stolen Red Cross data for sale,” noted David Sygula, senior analyst at CybelAngel. “The threat actor/poster does not offer any proof to verify the data and claims they are selling it on behalf of ‘someone.’”

“Since the actor/poster is on a newly registered account, it’s very hard to determine how much credit to give the offer,” said Sygula. “However, they do respond to Robert Mardini’s call ‘to do the right thing’ and urge the Red Cross to contact the cybercriminals and propose ‘a figure they can pay’.”

“But all hope is not lost for the Red Cross,” said Sygula. “We’ve similar cases where the data has been returned free of charge after angry messages had been posted on cybercrime forums.”

Extorting the vulnerable

Another expert warned this stolen data could have profound consequences for already very vulnerable individuals.

“We currently have no confirmed details on whether this attack was a lucky punch or a more tailored and targeted attack that had Red Cross as a target from the start,” said Tom Van de Wiele, Principal Security Consultant at F-Secure.

“Regardless of motivation or method, what is certain is that online criminals do not hesitate to try and extort the most vulnerable of society for profit when they do have the information,” said Van de Wiele.

“Depending on what information was leaked and who has access to it now and in the future, this could potentially have profound consequences for the individuals that are part of the stolen data as far as their personal details, whereabouts and connections to others in a time and place where they are already vulnerable,” he said.

Revisiting compromised systems

Another security expert warned that now the hackers know about the compromised system of the third party supplier, there is a risk they will return to see what else they can steal.

“The attack suffered by the Red Cross is extremely worrying, with the data of 515,000 ‘highly vulnerable people’ at risk,” said Brooks Wallace, VP EMEA at Deep Instinct.

“While they are still uncertain as to who conducted this attack, other cyber gangs now know that there are vulnerabilities within the Red Cross’ third party data storage provider,” said Wallace. “Unfortunately, when threat actors know that an organisations’ data is vulnerable and can be easily stolen, they are likely to return.”

Wallace pointed out that when the Red Cross system is running normally, it reunites 12 missing people with their families every day.

Now this system is down, the risks for these people have increased.

“When seconds are vital in a missing person case, the last thing an organisation needs is for their data to be missing and that it could take weeks to recover or may never be recovered,” said Wallace.

“Humanitarian organisations are often a priority target to cyber criminals due to the amount of personal information they hold,” said Wallace. “During the early months of the pandemic, ransomware gangs had promised not to target medical organisations due to the pressure they were under, however, there is no honour among thieves and they soon started stealing medical data.”

“Gangs are ruthless, they don’t care about the humanitarian cause of an organisation and are only interested in targets which yield the greatest monetary gain,” said Wallace. “Organisations can no longer afford to think about ways to mitigate impacts of cyberattacks but must instead prevent them from infecting their network.”

“Most solutions, like endpoint detection and response (EDR), need an attack to execute before it can identify activity as malicious or benign, which is too slow when the fastest ransomware attacks can encrypt data within 15 seconds,” said Wallace.

“Organisations need to invest in solutions that use technology, such as deep learning, which can deliver a sub-20 millisecond response time to stop malware pre-execution and before it can take hold,” Wallace concluded. “Humanitarian organisations are already trying to solve enough time-pressure situations, the last thing they need looming over their heads is the threat of a cyberattack.”