A cyber-attack targeting the World Food Programme has exposed sensitive personal information belonging to some 600,000 households in Gaza, the UN’s food agency has confirmed, in what may be the largest-known breach of humanitarian beneficiary data to date.
By Jacob Goldberg and Irwin Loy
WFP is investigating a “security-related incident” in which “unauthorised actors” accessed personal information submitted by Palestinians in Gaza, the agency said in a statement sent to aid recipients via Telegram on 31 May.
The exposed information included names, ID, and mobile numbers, and location data, the statement said.
WFP confirmed the data breach on 2 June: “WFP recently detected unauthorized access of its self-registration application (SRA) for Palestine, where individuals are able to register to receive food and cash assistance after verification,” a spokesperson said in a statement responding to questions from The New Humanitarian. “WFP took immediate action to shut down the platform, contain the intrusion, and strengthen its security controls to prevent further exposure.”
More than 2 million people in Gaza have submitted their personal information to WFP’s self-registration application, known as People Portal, which the WFP credits for cutting registration red tape and response times. The spokesperson said the compromised data is “isolated to the SRA application used only in Palestine”.
An investigation is underway, and no party has claimed responsibility, WFP said.
WFP said the cyber-attack occurred on 14 May. The Telegram message to affected Gazans was sent 17 days later.
Digital security experts say aid groups are increasingly the target of sophisticated hacks and cyber-attacks. In one of the largest previously known breaches of humanitarian data, sensitive personal information belonging to 515,000 people was exposed in a 2022 hack targeting the International Committee of the Red Cross. The following year, the Norwegian Refugee Council said a cyber-attack hit a database containing info on thousands of project participants in one country. In the past, the UN has also come under fire for failing to disclose cyberattacks.
According to an anonymous whistleblower, who contacted The New Humanitarian on 31 May, WFP’s beneficiary feedback mechanism received a warning from an “independent expert” about vulnerabilities in the SRA two days before the breach. The whistleblower said they did not know the identity of the expert.
WFP’s Palestine country team relayed the warning to the agency’s Rome headquarters, where the cybersecurity team assured staff that the vulnerability had been resolved. The breach occurred that same day but was only detected a day or two later, according to the whistleblower.
The whistleblower questioned why WFP would wait more than two weeks to inform people in Gaza that their personal data, which could be used to pinpoint specific locations and cause harm, had been exposed. They added that WFP had conducted “no risk assessment” and made “no clear effort to evaluate or mitigate the security risks to people in Gaza” as of 31 May. Israeli forces have killed hundreds of Palestinians seeking aid from the WFP.
WFP said it was unable to answer specific questions about the timeline, other than the date of the breach.
The breach comes amid a contentious effort by Israel to obtain aid workers’ personal information as a condition for their employers’ access to Palestine. Israel’s Supreme Court upheld the requirement on 20 May, giving organisations 30 days to comply or be forced to end operations in the West Bank and Gaza.
“It comes at a very scary, unpredictable time where this law, and this data, can be literally weaponised against people, used to track people down, cause harm,” said a Gazan humanitarian worker, who received WFP’s statement and requested anonymity for security reasons, adding: “And it’s been breached.”
A sector with a poor track record
Aaron Martin, an assistant professor of media studies and data science at the University of Virginia, said he was not surprised to hear of another data breach hitting an aid organisation.
Humanitarian data protection practices generally lag behind the private sector, he said, even though aid agencies work with deeply vulnerable populations.
“A sector that claims to want to do the right thing – and that claims to abide by certain values and principles, despite some efforts to shore up protections and defences and to do better at enforcing and improving policy – has been pretty poor at protecting data,” said Martin, who has a background in cyber-security in the financial sector, and who now advises humanitarian organisations on digital transitions.
In this case, it appears WFP has tried to inform affected Gazans that their data has been compromised – a fundamental obligation. “Now, what those people are supposed to do with that information, besides freak out, is unclear,” he said. The breach “makes vulnerable people feel even more vulnerable”.
In the 31 May statement, and in a second Telegram statement sent out on 2 June, WFP said it had paused the SRA platform to implement security improvements. It said food, cash, and other assistance programmes will continue normally through existing systems, and beneficiaries do not need to update, delete, or re-register their information to keep receiving support.
The agency also urged beneficiaries to remain cautious of anyone claiming to represent WFP to request information or payments and advised against clicking suspicious links or sharing personal details with unknown sources.
The breach also spotlights data practices at WFP, which is consistently the world’s largest humanitarian agency, based on volume of funding.
The agency has long sought to grow its global beneficiary ID management programme, known as SCOPE. A 2021 audit noted that 63.8 million “identities” were registered in SCOPE, including some 20 million beneficiaries that were “actively managed”. At the time, SCOPE was used in 80% of the countries where WFP had a presence. An earlier 2017 audit said the agency needed major improvement in how it safeguarded beneficiary data.
WFP has previously said it intended a full rollout of SCOPE in Palestine in 2026. The agency said the May data breach did not affect SCOPE or other data management systems.
WFP has also come under fire for its relationship with Palantir, the US military contractor and big data analytics firm that is also highlighted in the “economy of genocide” UN rights report naming companies accused of sustaining Israel’s occupation of Palestine. Humanitarian organisations risk losing their protection under international law by partnering with military-linked technology companies, according to Access Now, a digital rights advocacy group that has documented the WFP-Palantir relationship.
WFP says its Palantir partnership backstops DOTS, a platform that combines data across systems.
A 2022 audit of WFP’s Palestine operations said risks related to personal data collection had not been assessed or mitigated due to limited internal technical capacity.
Edited by Andrew Gully.
–––––
The New Humanitarian puts quality, independent journalism at the service of the millions of people affected by humanitarian crises around the world. Find out more at www.thenewhumanitarian.org.
