Hackers Just Stole Location Data on Half a Million ‘Vulnerable’ People From Red Cross

Hackers Just Stole Location Data on Half a Million ‘Vulnerable’ People From Red Cross
Photo: Spencer Platt, Getty Images

A band of cybercriminals recently hacked the Red Cross — one of the world’s most well-known charities — in an effort to steal sensitive location and contact information on approximately half a million “highly vulnerable” people.

Originally founded in 1863, the International Committee of the Red Cross (ICRC, or simply, the “Red Cross”) is a vast humanitarian aid organisation known for helping at-risk populations throughout the world — including victims of war, refugees, and others affected by armed conflict and natural disaster. Operating in over 100 different countries, the ICRC annually doles out billions to provide medical services and housing to its recipients. And, apparently, somebody thought it would be a great idea to hack them.

On Wednesday, the ICRC published a statement to their website announcing a recent breach and begging the hackers not to publish any of the “highly sensitive data” that had been pilfered during the incident. That data, which the ICRC says was stolen from a contractor in Switzerland, includes “names, locations and contact information, as well as credentials used to access some of the organisation’s programs,” TechCrunch reported. The login information of approximately 2,000 ICRC staff and volunteers was also stolen.

Obviously, such information, in the wrong hands, could wreak a significant amount of havoc. “The attack compromised personal data and confidential information on more than 515,000 highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention,” the organisation revealed in its statement Wednesday.

The hack has disrupted an entire aid program run by the ICRC, called Restoring Family Links, which reconnects separated family members who have been torn apart by warfare or natural disaster. In a statement accompanying Wednesday’s announcement, Robert Mardini, ICRC’s director-general, begged the criminals not to publish or leak the highly sensitive data.

“Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data,” he said.

Thankfully, the ICRC has said that there is no indication that the compromised information has yet “been leaked or shared publicly” — though, given the circumstances, that could change at any moment. The organisation further noted that it has “no immediate indications” as to who carried out the attack — a detail which seems to suggest that no particular cybercriminal group has yet claimed responsibility for the attack.

“We are working closely with our humanitarian partners worldwide to understand the scope of the attack and take the appropriate measures to safeguard our data in the future,” Mardini further stated.