“Anguish and suffering” – Experts analyze the massive Red Cross data breach

"Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering."
21 January 2022

“A sophisticated cyber security attack against computer servers hosting information held by the International Committee of the Red Cross (ICRC) was detected this week,” the Red Cross said. (Photo by Andreas SOLARO / AFP)

The International Committee of the Red Cross was the victim of a massive cyberattack in which hackers seized the data of more than 515,000 extremely vulnerable people — some of whom had fled conflicts — it was revealed this week. The attack on the non-governmental humanitarian organization has drawn heated attention from many expert observers.

“A sophisticated cyber security attack against computer servers hosting information held by the International Committee of the Red Cross (ICRC) was detected this week,” the Red Cross said in a statement. “The attack compromised personal data and confidential information on more than 515,000 highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention.”

The body, which has its headquarters in Geneva, had no immediate indication as to who might have carried out the attack. It said the hackers targeted an external company in Switzerland that the ICRC contracts to store data. There was no evidence so far that the compromised information had been leaked, or has been put out in the public domain at the time of writing.

The ICRC said its “most pressing concern” was the “potential risks that come with this breach — including confidential information being shared publicly — for people that the Red Cross and Red Crescent network seeks to protect and assist, as well as their families”.

The data originated from at least 60 Red Cross and Red Crescent National Societies around the world. “An attack on the data of people who are missing makes the anguish and suffering for families even more difficult to endure. We are all appalled and perplexed that this humanitarian information would be targeted and compromised,” said ICRC director-general, Robert Mardini. “This cyberattack puts vulnerable people, those already in need of humanitarian services, at further risk.”

"A sophisticated cyber security attack against computer servers hosting information held by the International Committee of the Red Cross (ICRC) was detected this week," the Red Cross said

A member of the French Red Cross registers people coming to undergo an antigen test at a mobile Covid-19 screening site — the sort of data that might have been compromised. (Photo by Pascal GUYOT / AFP)

And he called on those responsible to “do the right thing — do not share, sell, leak or otherwise use this data”. Mardini added, “Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering.”

As a result of the attack, the ICRC had been forced to shut down the computer systems underpinning its Restoring Family Links program, that seeks to reunite family members separated by conflict, disaster or migration, the statement said. “We are working as quickly as possible to identify workarounds to continue this vital work,” it added.

The data breach and it’s ongoing, devastating fallout have attracted heated debate from experts and industry observers alike.

“This is a potentially devastating breach for the families of missing individuals, as stolen information could be used to phish or scam those looking for friends and family. We saw multiple cases of this during the Japan earthquake and tsunami in 2011, with fake Red Cross websites, emails, and more,” noted Chris Boyd, the lead analyst at Malwarebytes, which detects and removes malware for individual consumers and businesses. ”By and large, those attacks were untargeted. If this data leaks, it may place relatives of the missing in perilous situations and leave them open to highly targeted blackmail and fraud. Named individuals fleeing certain oppressive governments could be left vulnerable to abuse, depending on whose hands the data falls into.”

Brooks Wallace, VP EMEA at Deep Instinct, agreed that the breach was “extremely worrying” as it compromised the data of over half a million at risk, highly vulnerable individuals. To make matters worse, Wallace pointed out that other cyber gangs now know that there are vulnerabilities within the Red Cross’ third party data storage provider, adding, “Unfortunately, when threat actors know that an organisations’ data is vulnerable and can be easily stolen, they are likely to return.”

“Humanitarian organisations are often a priority target to cyber criminals due to the amount of personal information they hold. During the early months of the pandemic, ransomware gangs had promised not to target medical organisations due to the pressure they were under, however, there is no honour among thieves and they soon started stealing medical data,” he continued. “Gangs are ruthless, they don’t care about the humanitarian cause of an organisation and are only interested in targets which yield the greatest monetary gain. Organisations can no longer afford to think about ways to mitigate impacts of cyberattacks but must instead prevent them from infecting their network.”

Lotem Finkelstein, the Head of Threat Intelligence and Research for leading cybersecurity solutions provider Check Point Software, also spotlighted the risk to sensitive, potentially life-threatening data like medical info. “Hackers show no mercy on healthcare or other such humanitarian targets, and the Red Cross is not alone here,” Finkelstein said. “Hacking groups are aware of the sensitivity of this data, and they see them as ‘fast money targets’. Hospitals and healthcare organisations can’t afford to halt operations, as it could literally lead to life or death situations.”

“The ICRC, and the Red Cross more generally, have been attacked several times down the years,” commented Boyd. “It remains to be seen if the external company hosting the compromised data was aligned with the guidance and suggestions in the ICRC handbook on data protection.”

“The threat actors involved in the cyber attack on the Red Cross went straight for the jugular,” proclaimed Finkelstein. “They went after the organisation’s most sensitive data, seeking to create as much leverage as possible against the Red Cross. The larger risk here is leak of compromised data, which could lead to potentially devastating consequences for victims.”

“The cyber attack on the Red Cross makes vulnerable people even more vulnerable, potentially forcing them to suffer longer and endure further pain,” elaborated the threat researcher. “Unfortunately, hackers view their targets as a business, and the business of cyberattacks is ruthless. And thus, we expect the trend of threat actors targeting healthcare organisations to only continue as we go into 2022.