The fallout is just beginning after what data privacy researchers say could be the biggest-ever breach of humanitarian data.
The New Humanitarian spoke to Zara Rahman, acting executive director of The Engine Room, a tech and data non-profit, to find out why this huge hack at the International Committee of the Red Cross (ICRC) on 19 January shouldn’t come as a surprise, and what the aid sector needs to do to protect itself — and vulnerable people.
For Rahman, “it’s in many ways the worst-case scenario we’ve been warning about for years now”, but what should perhaps concern us more, she warns, is that it happened at the ICRC, a place considered to have one of the best digital protection practices in the sector.
Watch this short video for her full comment on the hack.
The ICRC said the cyber-attack compromised the data of more than 515,000 of the world’s most vulnerable – including people uprooted by conflict and disasters. The exposed data reportedly includes names, locations, and contact information collected by at least 60 Red Cross and Red Crescent societies around the globe.
The ICRC said it wasn’t clear if the data was shared (though a user on one hackers’ forum claimed to be ransoming it). While the ICRC is urging hackers not to release the data, some analysts also said the group itself should be held accountable: “Humanitarian [organisations] should not get a free pass. They are responsible to safeguard the data they collect,” tweeted Stefan Soesanto, a cybersecurity researcher.
Will this high-profile hack spark long-demanded improvements to information security across the aid sector?
Experts have long urged aid groups to prioritise the issue, but the list of poor practices grows ever longer: unreported breaches, insecure systems, security lapses, ransomware attacks, poor data-handling, questionable partnerships, or simply collecting too much data in the first place.
For a sobering deep dive on these examples and more, check out our ongoing collection of reporting on humanitarian technology.