Red Cross Data Breach Exposes Personal Information from the World’s Most Vulnerable

On January 19, the International Committee of the Red Cross (ICRC) published a press release with details of a sophisticated cyber security attack that compromised the personal data of more than 500,000 highly vulnerable people. This press release was the first of multiple articles containing transparent coverage about the Red Cross data breach. In this post, we’ll outline how and why this cyber-attack occurred and provide our commentary on their handling of the incident: 

What Happened in the Red Cross Data Breach? 

The ICRC’s global Restoring Family Links services were compromised in this data breach. This service, provided by the ICRC, helps to connect people around the world who are separated by war, violence, migration and other causes. The database also contains information about missing persons and their families and people in detention. 

The data breach impacted at least 60 Red Cross and Red Crescent national societies around the world and compromised personal data and confidential information on more than 515,000 people. The personal data exposed in the breach includes names, locations, and contact information of these highly vulnerable people, as well as login information for about 2,000 Red Cross and Red Crescent staff and volunteers. 

The risks stemming from this breach are significant. The ICRC’s director-general Robert Mardini noted “This cyber-attack puts vulnerable people, those already in need of humanitarian services, at further risk.”  

The Restoring Family Links service was suspended as a result of this cyber-attack. 

Red Cross Targeted in Cyber-Attack 

The ICRC was specifically targeted by hackers in this attack. The hackers created a piece of code designed purely for execution on the ICRC’s servers and they used a very specific set of advanced hacking tools to execute the cyber-attack. These tools are not available publicly. 

Moreover, the hackers went to considerable lengths to hide and protect their malicious programs. One technique they relied on was disguising their presence in the system as that of legitimate users. 

Unfortunately, it appears that this breach is just the latest in a string of targeted attacks on international human rights groups and disaster relief agencies. In April 2021, the United Nation’s project management software was breached by unknown cyber attackers who accessed information that would allow them to target some UN agencies. While on 25 May 2021, a Russian-backed hack of a marketing email address for the US Agency for International Development resulted in the distribution of malicious emails to approximately 3,000 accounts across more than 150 organizations. 

Lessons for Humanitarian Organizations and Corporations 

There are two key takeaways here for humanitarian organisations and corporations: 

1. With the right incentive, hackers will target specific organisations. The tools available to these hackers are sophisticated and extensive. As a result, preventing these attacks is incredibly complicated, costly, and time-consuming. In fact, it may not be possible to prevent these attacks – in which case your detection infrastructure and your response to the cyber-attack are going to be critical to your recovery. 
2. The Red Cross has consistently leveraged transparency as a critical component to its responses to data breaches. This practice helps to protect their reputation, while also empowering the affected individuals to protect themselves.   

How the Red Cross is Leveraging Transparency for Reputation Management Following the Data Breach

While we’re yet to see what, if any, consequences the ICRC will face following its recent data breach, it is clear that they are promoting transparency in the wake of the cyber-attack. Following the Restoring Family Links data breach, the Red Cross published an article containing information about what individuals should do if they are concerned their data may have been breached. This was published alongside early details of the cyber-attack and an empathetic commitment to doing better in the future. (Read it here) 

They have since published an open letter from Robert Mardini, outlining what the ICRC has done in response to the cyber-attack as well as further details about how the breach occurred. The director-general noted that the ICRC feels “it is our responsibility as a humanitarian organisation accountable to our partners and the people we serve to share what we can about this unacceptable attack.” 

Adopting a Similar Approach to the 2017 Red Cross Blood Bank Data Breach in Australia

The Australian breach of the Red Cross took a similar approach following a 2017 data breach. This breach occurred when human error resulted in a third-party provider accidentally publishing the confidential information of 550,000 prospective blood donors. In this case, the OAIC noted that Red Cross took immediate steps to voluntarily notify affected individuals and took responsibility for their actions.  

“‘Data breaches can still happen in the best organisations — and I think Australians can be assured by how the Red Cross Blood Service responded to this event. They have been honest with the public, upfront with my office, and have taken full responsibility at every step of this process.” 

This highlights that organisation cannot outsource their privacy obligations and can be held responsible for the actions of third-party vendors.  

Develop Your Data Breach Notification Planning with Privacy 108 

If your organisation is uncertain how it would handle a data breach, it’s likely you do not have sufficient data breach planning in place. You can find more information about data breach notification obligations in Australia, or you can contact us: