The International Committee of the Red Cross (ICRC) has been the victim of a cyber-attack in which hackers managed to access the data of more than 515,000 extremely vulnerable people. Below is the statement by ICRC in relation to this attack:

“The attack compromised personal data and confidential information on more than 515,000 highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention.” The body, which has its headquarters in Geneva, had no immediate indication as to who might have carried out the attack. It said the hackers targeted an external company in Switzerland that the ICRC contracts to store data. There was no evidence so far that the compromised information had been leaked or put in the public domain.”

Experts Comments

January 21, 2022
Jamie Moles
Senior Technical Manager
ExtraHop

Charity is big business nowadays. There is much concern from charity watchdogs about some larger organisations holding significant capital in investments and not spending it on the cause they are meant to be championing. A few prominent charities in the UK have been accused of spending less than 10% of their income on their stated mission - the rest going on salaries, premises and marketing. So, from an entrepreneurial criminals point of view, attacking these organisations would be no different

.....Read More

Charity is big business nowadays. There is much concern from charity watchdogs about some larger organisations holding significant capital in investments and not spending it on the cause they are meant to be championing. A few prominent charities in the UK have been accused of spending less than 10% of their income on their stated mission - the rest going on salaries, premises and marketing. So, from an entrepreneurial criminals point of view, attacking these organisations would be no different to attacking any other large business. However, the Red Cross is reputed to spend 72% of its donations on charitable services.

This could play out in a number of ways. The charity could - and should - plead their case to the extorters not to release the data. The attackers could be concerned about bad press surrounding attacking a charity and move onto other targets. Finally, charities aren’t well known for spending money on security. Perhaps this might force a review of priorities.

  Read Less
January 21, 2022
Elizabeth Wharton
VP Operations
SCYTHE

The disclosed impacted data is attractive to cyber criminals for use in perpetuating fraud, among other possibilities. The data is difficult to protect and can be used for identify theft, for example. These vulnerable populations likely don’t have the resources to follow up and clear the discrepancies due to financial or perhaps personal safety reasons. 

January 20, 2022
Dan Davies
CTO
Maintel

This most recent breach is a warning shot for large charitable organisations, especially those holding personal data on vulnerable people, that they are not exempt from the attention of hackers. The large amount of data they hold makes them prime targets for ransomware attacks. 

“Ensuring data is secure must be a 24/7 job. Cyber criminals are continuously probing and looking for weaknesses, and it only takes a single vulnerability to enable a breach. Whether held on your systems or a company

.....Read More

This most recent breach is a warning shot for large charitable organisations, especially those holding personal data on vulnerable people, that they are not exempt from the attention of hackers. The large amount of data they hold makes them prime targets for ransomware attacks. 

“Ensuring data is secure must be a 24/7 job. Cyber criminals are continuously probing and looking for weaknesses, and it only takes a single vulnerability to enable a breach. Whether held on your systems or a company contracted by you, if it is your data regarding users of the charity or organisation, or vulnerable people, it is your responsibility. 

“Organisations can’t promise to stave off every attack, but they can understand how attacks occur, what types of data is at the greatest risk and how to lessen the blow. Regardless of their size, organisations need to remain always on guard and ensure they have the right tools, technologies and processes in place to fight off would-be cyber attackers.

  Read Less
January 20, 2022
Jon Andrews
VP of EMEA
Gurucul

This is another unfortunate example that hacking groups or individuals are indiscriminate and will target any and all vulnerabilities, even if those vulnerabilities concern vulnerable people. Potentially gone are the days of the published moral code of all hacking groups such as Anonymous. There are groups out there who do not share the same ethics and it puts every organization at risk.

January 20, 2022
John Goodacre
Director of UKRI’s Digital Security and Professor of Computer Architectur
The University of Manchester

Unfortunately, we live in a world where people make mistakes when using computers and the applications themselves have bugs. Together these create vulnerabilities that can be exposed through even the most stringent cyber defences. Industry and businesses can do little about the software vulnerabilities in computers other than apply patches after they have become known, and potentially exploited, and stop data loss or systems being held to ransom. For years around 70% of the ongoing reported

.....Read More

Unfortunately, we live in a world where people make mistakes when using computers and the applications themselves have bugs. Together these create vulnerabilities that can be exposed through even the most stringent cyber defences. Industry and businesses can do little about the software vulnerabilities in computers other than apply patches after they have become known, and potentially exploited, and stop data loss or systems being held to ransom. For years around 70% of the ongoing reported software vulnerabilities are due to bugs in the way software works. The UK government is supporting industry and academia through the UKRI Digital Security by Design programme to introduce new fundamental technologies that can block software vulnerabilities from exploitation. This latest cyberattack again amplifies the need that everyone must maintain the best cyber practices and ensure all software is fully patched to reduce the risk that any vulnerability is exposed to exploitation.

  Read Less
January 24, 2022
Matt Aldridge
Principal Solutions Architect
Webroot

It’s clear that the public sector is currently a key target for cybercriminals amid the pandemic, and unfortunately this attack has demonstrated that the charity sector is no different.

Although we’ve seen a recent trend of cybercriminals becoming more ‘ethical’ in the types of organisations they go after, ICRC may hold valuable personal, operational, and political data which makes them a tempting target for malicious state and criminal actors alike.  

A potential concern here is the use of

.....Read More

It’s clear that the public sector is currently a key target for cybercriminals amid the pandemic, and unfortunately this attack has demonstrated that the charity sector is no different.

Although we’ve seen a recent trend of cybercriminals becoming more ‘ethical’ in the types of organisations they go after, ICRC may hold valuable personal, operational, and political data which makes them a tempting target for malicious state and criminal actors alike.  

A potential concern here is the use of stolen data to enable further attacks. It is much easier to fool victims with a phishing email once you know details about them. Individuals should remain vigilant in scrutinising the types of emails they receive and remember to never share personal or financially sensitive information over the internet. Unfortunately, these threats are becoming more sophisticated and believable, and it only takes one click to put users and entire organisations at risk. 

It’s therefore crucial for all charitable organisations to consider cybersecurity defences as a necessity and to secure the necessary budget and mindset to implement them. Secondly, data must always be backed up so systems can be restored if needed. Staff training is another essential for defending against phishing and other social engineering attacks, so they know what to look out for. The training materials used also need to be constantly updated to reflect the latest threat trends, and regular simulations should be run to ensure that the training is having the desired effect. 

Finally - as we see in this case, the security of third-party vendors must be carefully scrutinised, and outsourcing a particular technical challenge does not absolve the purchaser of its responsibilities around data protection.  Attacks against supply chains and managed service providers are continuing to grow in volume and sophistication, so ensure that you evaluate your partners carefully.

  Read Less
January 21, 2022
Brooks Wallace
VP EMEA
Deep Instinct

The attack suffered by the Red Cross is extremely worrying, with the data of 515,000 "highly vulnerable people" at risk. While they are still uncertain as to who conducted this attack, other cyber gangs now know that there are vulnerabilities within the Red Cross’ third party data storage provider. Unfortunately, when threat actors know that an organisations’ data is vulnerable and can be easily stolen, they are likely to return.  

With operations unable to run at 100% it can have damaging and

.....Read More

The attack suffered by the Red Cross is extremely worrying, with the data of 515,000 "highly vulnerable people" at risk. While they are still uncertain as to who conducted this attack, other cyber gangs now know that there are vulnerabilities within the Red Cross’ third party data storage provider. Unfortunately, when threat actors know that an organisations’ data is vulnerable and can be easily stolen, they are likely to return.  

With operations unable to run at 100% it can have damaging and lasting impacts on families. The Red Cross have already said that on average when the organisation isn't under a cyberattack, it reunites 12 missing people with their families a day. When seconds are vital in a missing person case, the last thing an organisation needs is for their data to be missing and that it could take weeks to recover or may never be recovered.  

Humanitarian organisations are often a priority target to cyber criminals due to the amount of personal information they hold. During the early months of the pandemic, ransomware gangs had promised not to target medical organisations due to the pressure they were under, however, there is no honour among thieves and they soon started stealing medical data. Gangs are ruthless, they don’t care about the humanitarian cause of an organisation and are only interested in targets which yield the greatest monetary gain. Organisations can no longer afford to think about ways to mitigate impacts of cyberattacks but must instead prevent them from infecting their network.  

Most solutions, like endpoint detection and response (EDR), need an attack to execute before it can identify activity as malicious or benign, which is too slow when the fastest ransomware attacks can encrypt data within 15 seconds. Organisations need to invest in solutions that use technology, such as deep learning, which can deliver a sub-20 millisecond response time to stop malware pre-execution and before it can take hold. Humanitarian organisations are already trying to solve enough time-pressure situations, the last thing they need looming over their heads is the threat of a cyberattack.

  Read Less
January 21, 2022
Chris Clements
VP
Cerberus Sentinel

This attack is beyond disgusting, but sadly not surprising. Any data that is valuable to threat actors will be targeted for compromise and there are many potential motivations for pursuing this information. It could be politically motivated to target those fleeing conflict, financially related to target for fraud- think sending family members of those whose information was compromised with requests for money, or simply a target of opportunity. The lack of public extortion demands could indicate

.....Read More

This attack is beyond disgusting, but sadly not surprising. Any data that is valuable to threat actors will be targeted for compromise and there are many potential motivations for pursuing this information. It could be politically motivated to target those fleeing conflict, financially related to target for fraud- think sending family members of those whose information was compromised with requests for money, or simply a target of opportunity. The lack of public extortion demands could indicate the attack is more likely to be politically motivated, but it’s difficult to say for sure. This incident reinforces the desperate need for organizations to evaluate the risk that their business partners and vendors expose them to. It’s not enough to assume the organizations you share data with are doing their due diligence to ensure that the data is secure. It’s incumbent on organizations to press their business partners and vendors to actively demonstrate that they are appropriately protecting their data with the suitable technical and operational controls, continuous monitoring, and regular testing to validate that no mistakes may have occurred to expose the organization to risk. It’s also just as important for organizations to consider what additional controls they may have at their disposal to protect themselves above and beyond what their vendors or business partners may be doing. It’s impossible to say without understanding the nature of how this data was being used, but it may have been possible for the Red Cross to prevent this breach by applying their own data encryption layer such that even if their provider got breached, attackers would not be able to steal unencrypted information.

  Read Less
January 21, 2022
Chris Boyd
Lead Malware Intelligence Analyst
Malwarebytes

This is a potentially devastating breach for the families of missing individuals, as stolen information could be used to phish or scam those looking for friends and family. We saw multiple cases of this during the Japan earthquake and tsunami in 2011, with fake Red Cross websites, emails, and more. By and large, those attacks were untargeted. If this data leaks, it may place relatives of the missing in perilous situations and leave them open to highly targeted blackmail and fraud. Named

.....Read More

This is a potentially devastating breach for the families of missing individuals, as stolen information could be used to phish or scam those looking for friends and family. We saw multiple cases of this during the Japan earthquake and tsunami in 2011, with fake Red Cross websites, emails, and more. By and large, those attacks were untargeted. If this data leaks, it may place relatives of the missing in perilous situations and leave them open to highly targeted blackmail and fraud. Named individuals fleeing certain oppressive governments could be left vulnerable to abuse, depending on whose hands the data falls into. 

The ICRC, and the Red Cross more generally, have been attacked several times down the years. It remains to be seen if the external company hosting the compromised data was aligned with the guidance and suggestions in the ICRC handbook on data protection.

  Read Less
January 21, 2022
Wade Woolwine
Principal Security Researcher
Rapid7

While some cybercriminal groups have rules to keep organizations like the Red Cross out of the line of fire, this isn’t a universally adopted position. This attack seems to have little financial gain for the cybercriminals behind it, but we’re increasingly seeing attacks that are just as much about disruption, fear, and discrediting opposing ideologies instead of making money. Regardless of whether this was targeted or merely opportunistic, it’s clear that every organization faces some

.....Read More

While some cybercriminal groups have rules to keep organizations like the Red Cross out of the line of fire, this isn’t a universally adopted position. This attack seems to have little financial gain for the cybercriminals behind it, but we’re increasingly seeing attacks that are just as much about disruption, fear, and discrediting opposing ideologies instead of making money. Regardless of whether this was targeted or merely opportunistic, it’s clear that every organization faces some level of material cyberthreat today.

  Read Less
January 21, 2022
Garret F. Grajek
CEO
YouAttest

There is no honor amongst thieves - and that phrase is more than apt to the modern hackers.  Identities are the treasure they seek - and I’m sure their mentality is - if the givers have enough to give for charity - there more in the kitty for them to pursue/ransom. The key for the organizations is to assume their defenses are being probed and thus enact the counter measures that exist once a breach has occurred. The U.S. CISA organization just released best practices which included obvious

.....Read More

There is no honor amongst thieves - and that phrase is more than apt to the modern hackers.  Identities are the treasure they seek - and I’m sure their mentality is - if the givers have enough to give for charity - there more in the kitty for them to pursue/ransom. The key for the organizations is to assume their defenses are being probed and thus enact the counter measures that exist once a breach has occurred. The U.S. CISA organization just released best practices which included obvious measures such as patches and 2FA - but also advised on pro-active measures such as identity and network reviews.

  Read Less
January 21, 2022
Tom Garrubba
Senior Director and CISO
Shared Assessments

Vulnerabilities at third party vendors continue to remain top of mind for businesses and threat actors alike. Sadly, this attack affected such a noble organization as the Red Cross. If the threat actors knew this, this adds further evidence that threat actors can – and will – go after anyone. No organization, even those that have storied histories of doing good in the world, are safe from a cyberattack. One can simply hope that these threat actors will not bring additional pain to those

.....Read More

Vulnerabilities at third party vendors continue to remain top of mind for businesses and threat actors alike. Sadly, this attack affected such a noble organization as the Red Cross. If the threat actors knew this, this adds further evidence that threat actors can – and will – go after anyone. No organization, even those that have storied histories of doing good in the world, are safe from a cyberattack. One can simply hope that these threat actors will not bring additional pain to those “highly vulnerable people” who relied on the Red Cross to assist them in dealing with a tragic loss. Additionally, non-profit organizations must realize they and their vendors can also come under attack and it’s absolutely imperative to conduct ongoing and mature third party risk management.

  Read Less
January 21, 2022
Saumitra Das
CTO and Co-founder
Blue Hexagon

It is critical for organizations to not just worry about their cyber hygiene but also third parties that they use to store their data or host their services including large cloud service providers. Even if you are well secured, your data can still be breached by attacks on third parties. It is critical to evaluate the security controls and not just compliance policies of third parties an organization works with whether they provide appliances, SaaS services, hosting or infrastructure as a

.....Read More

It is critical for organizations to not just worry about their cyber hygiene but also third parties that they use to store their data or host their services including large cloud service providers. Even if you are well secured, your data can still be breached by attacks on third parties. It is critical to evaluate the security controls and not just compliance policies of third parties an organization works with whether they provide appliances, SaaS services, hosting or infrastructure as a service.

  Read Less
January 20, 2022
Trevor Morgan
Product Manager
comforte AG

From time to time, a cyber-attack demonstrates the utter lack of compassion that hackers possess. Reports of a sophisticated attack targeting the International Committee of the Red Cross (ICRC)—a global humanitarian organization providing much-needed assistance to the victims of conflict and violence—make a compassionate person recoil at a flagrant instance of kicking people when they’re already down and out. Of course, the third-party business which stores the ICRC’s data bears

.....Read More

From time to time, a cyber-attack demonstrates the utter lack of compassion that hackers possess. Reports of a sophisticated attack targeting the International Committee of the Red Cross (ICRC)—a global humanitarian organization providing much-needed assistance to the victims of conflict and violence—make a compassionate person recoil at a flagrant instance of kicking people when they’re already down and out. Of course, the third-party business which stores the ICRC’s data bears responsibility for adequately storing and protecting sensitive information, so we can only hope that the personal data of those who are already suffering cannot or will not be leveraged by the guilty threat actors. Data-centric security in the form of strong encryption, tokenization, and format-preserving encryption can ensure that even in situations like this one, threat actors can’t profit from the information they steal, even if they are able to get their hands directly on it, by obfuscating the true meaning of sensitive data elements. It’s unclear at this point whether this level of data protection guards the information of the over 500K victim data subjects involved in this attack (though we should be skeptical given the appeal not to share any sensitive information), but our best wishes go with them and the ICRC nonetheless.

  Read Less
January 20, 2022
Martin Jartelius
CSO
Outpost24

Generally it would be hard for a third party to identify the correlation between a data store and its main application when it occurs in the external system as this. We can only hope that sophisticated attacker does mean that no one left a database or bucket open against the internet again. Generally, breaching humanitarian organizations is frowned upon amongst hackers, but this data could in theory be of interest to various regimes looking for specific individuals, so the breach is one which

.....Read More

Generally it would be hard for a third party to identify the correlation between a data store and its main application when it occurs in the external system as this. We can only hope that sophisticated attacker does mean that no one left a database or bucket open against the internet again. Generally, breaching humanitarian organizations is frowned upon amongst hackers, but this data could in theory be of interest to various regimes looking for specific individuals, so the breach is one which severity should not be underestimated.

  Read Less
January 20, 2022
Brian Higgins
Security Specialist
Comparitech.com

Egregious attacks such as this are unfortunately becoming an occupational hazard for charity and relief organisations as the vital nature of the data they possess coupled with the extreme vulnerability of the individuals to whom it relates provides a highly attractive target for certain groups of cybercriminals.

In the absence of any clear idea of motivation at this stage, the Red Cross is clearly doing everything they reasonably can to respond but I’m sure more information will soon come to

.....Read More

Egregious attacks such as this are unfortunately becoming an occupational hazard for charity and relief organisations as the vital nature of the data they possess coupled with the extreme vulnerability of the individuals to whom it relates provides a highly attractive target for certain groups of cybercriminals.

In the absence of any clear idea of motivation at this stage, the Red Cross is clearly doing everything they reasonably can to respond but I’m sure more information will soon come to light. 

It’s a sad yet sobering fact that network security is becoming more and more difficult as third party and supply chain organisations are vital elements of doing business in any sector, but it is almost impossible to implement consistent security protocols and defences across an entire enterprise. Attackers will always find a weak link in the chain and exploit it. Now that this highly sensitive, humanitarian stolen data is in the wild one can only support the Red Cross Director General in his call.

  Read Less
January 20, 2022
Bill Conner
CEO
SonicWall

Cyber risk affects virtually every kind of enterprise. It is not a matter of if, but when. Companies should start with the presumption that they will be attacked and have a comprehensive incident response plan in place. An incident response plan should include a consumer notification process especially when sensitive data such as Social Security numbers and financial information is corrupted. Regulation or industry standards should be put in place to protect consumers and relevant stakeholders

.....Read More

Cyber risk affects virtually every kind of enterprise. It is not a matter of if, but when. Companies should start with the presumption that they will be attacked and have a comprehensive incident response plan in place. An incident response plan should include a consumer notification process especially when sensitive data such as Social Security numbers and financial information is corrupted. Regulation or industry standards should be put in place to protect consumers and relevant stakeholders from experiencing material damage and ensuring transparency.

  Read Less
January 20, 2022
Jamie Akhtar
CEO and Co-founder
CyberSmart

This attack perfectly demonstrates that no target is off the table for cybercriminals. And, once again, we’re discussing an attack that started in the organisation’s supply chain. Indirect attacks on large organisations are fast becoming a favoured tactic of cybercriminals; it’s often much easier to breach a supplier or subsidiary first. 

So we urge businesses big and small to start conversations with your supply chain. Share security practices, be transparent, and keep lines of communication

.....Read More

This attack perfectly demonstrates that no target is off the table for cybercriminals. And, once again, we’re discussing an attack that started in the organisation’s supply chain. Indirect attacks on large organisations are fast becoming a favoured tactic of cybercriminals; it’s often much easier to breach a supplier or subsidiary first. 

So we urge businesses big and small to start conversations with your supply chain. Share security practices, be transparent, and keep lines of communication open. It might just be the difference between successfully avoiding a breach or not.

  Read Less
January 20, 2022
Javvad Malik
Security Awareness Advocate
KnowBe4

There are no details about how the sophisticated cyber attack occurred, but history has shown that in many cases the attacks are seldom sophisticated and often originate through some user error, like making a cloud database public, a spear phishing attack, poor credentials, or exploiting an unpatched system. 

It's quite concerning how sensitive the data is that has been exposed, and one hopes the information doesn't appear on forums or for sale. It's a reminder that today's cyber security

.....Read More

There are no details about how the sophisticated cyber attack occurred, but history has shown that in many cases the attacks are seldom sophisticated and often originate through some user error, like making a cloud database public, a spear phishing attack, poor credentials, or exploiting an unpatched system. 

It's quite concerning how sensitive the data is that has been exposed, and one hopes the information doesn't appear on forums or for sale. It's a reminder that today's cyber security discipline is different from what it was 20 years ago. No longer is it about protecting data, but protecting lives.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.