A cyberattack on a Swiss contractor of the International Committee of the Red Cross (ICRC) led to a data breach affecting more than half a million people, the ICRC said in a news release on Wednesday. The stolen data belongs to an already vulnerable group of people enrolled in the ”Restoring Family Links” initiative aimed at families broken up by disasters, war or migration.
The nature of the attack is still unknown, but the ICRC, which temporarily suspended the Restoring Family Links program, said the data included personal and confidential information.
“Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering,” said Robert Mardini, ICRC’s director-general, pleading with the unknown attackers. “Please do the right thing. Do not share, sell, leak or otherwise use this data.”
Humanitarian and healthcare organizations are a favored target for hackers because of their strategic importance, the highly vulnerable data they work with and because these types of incidents gain media attention.
For example, over the last two years cybercriminals have been exploiting the COVID-19 pandemic to the fullest, using fear and incertitude to launch attacks against people and organizations. There have been phishing attacks masked as ”Free PCR test against Omicron”, United Nations COVID-19 Compensation Email Scams and a Cyberattack Targeting Brazilian Ministry of Health that Wiped out COVID-19 Vaccination Data.
Additionally, In 2021, the United Nations was breached by hackers and employee credentials were sold on the dark web. Also in 2021, hacker group Nobelium cracked the email systems of the US State Department’s Agency for International Development (USAID) and sent infected messages to 3,000 accounts in 150 different organizations across 24 countries.
It’s not yet clear if the attack against the ICRC is financially motivated or political, as the ICRC has been a vocal advocate of applying International Humanitarian Law (IHL) to prohibit cyberattacks against civilian targets during conflicts. However, if the stolen personal information were to fall into the hands of a state actor, it could be used to identify and persecute civilians belonging to a specific group.