A cyberattack on a contractor used by the International Committee of the Red Cross (ICRC) has compromised the personal data of more than 515,000 “highly vulnerable people,” including people separated from their families by conflict and disaster, the organization said Wednesday.
The hack has forced the Red Cross to shut down IT systems that support a program that reunites families separated by conflict, migration or disaster, the humanitarian organization said.
It’s unclear who was responsible for the cyber incident, but the Red Cross said its “most pressing concern” was the potential for the compromised data to be leaked. There is no indication that has happened yet, according to the Red Cross.
“We are all appalled and perplexed that this humanitarian information would be targeted and compromised,” ICRC Director-General Robert Mardini said in a statement.
The hack hit a Switzerland-based firm that the Red Cross pays to store its data, the humanitarian organization said without naming the firm. The compromised data came from at least 60 of the “national societies,” or networks of volunteers and staff, around the world that the Red Cross uses as first responders to disasters.
“As a first step, we will work with most concerned ICRC delegations and Red Cross and Red Crescent societies on the ground to find ways to inform individuals and families whose data may have been compromised, what measures are being taken to protect their data and the risks they may possibly face,” Red Cross spokesperson Elizabeth Shaw told CNN in an email.
Shaw said that ransomware was not involved in the incident and that the Red Cross was working with “highly specialized” cybersecurity firms to respond to the hack.
Lukasz Olejnik, a former cyber warfare adviser at Red Cross headquarters in Geneva, told CNN that the incident “seems to be the biggest and most sensitive breach in history of ICRC and, probably, considering the sensitiveness, of all humanitarian organizations to date.”
The Red Cross should consider asking governments that are party to the Geneva Conventions for help in recovering from the hack, Olejnik, who is an independent cybersecurity consultant, told CNN.