Equipo Nizkor - Cyber-attack on ICRC: What we know.

Here are some answers to questions based on the latest information that we can share. We will continue to update this Q&A with new information based on the latest developments and adapt language for accuracy.

1. What happened?

One of our cyber partners detected an anomaly on ICRC servers that contained information relating to the global Red Cross and Red Crescent Movement's Restoring Family Links services, in which we work across countries to reconnect people separated by war, violence, migration and other causes. We then did a deep data dive with our partner and determined that hackers had been inside these systems and had access to the data on them.

The nature of the attack meant we could not guarantee the integrity of the system, so we took the compromised servers offline. We are now going through each application log to better understand what occurred. We do not believe that the data has been tampered with at this time, but to be sure we are hiring an independent audit firm to confirm this.

We also feel it is important to clarify that this was a targeted, direct cyber-attack on ICRC servers, not the company that hosted them. We manage the data and applications on these servers, not the hosting company. We cannot give any further information on the technical details of how the attack was carried out due to the ongoing nature of the situation.

2. Who is behind this attack?

We do not know who is behind this attack. We have not had any contact with the hackers and no ransom ask has been made. In line with our standing practice to engage with any actor who can facilitate or impede our humanitarian work, we are willing to communicate directly and confidentially with whoever may be responsible for this operation to impress upon them the need to respect our humanitarian action.

3. What are we doing to respond to the breach?

We are working with concerned ICRC delegations and Red Cross and Red Crescent societies on the ground to find ways to inform individuals and families whose data may have been breached, what measures are being taken to protect their data and the risks they may possibly face. We took the compromised servers offline and are now in the process of identifying short-term solutions to enable Red Cross and Red Crescent teams worldwide to continue providing related humanitarian services for the people impacted by this breach.

4. Were data sets copied and exported?

We must presume so. We know that the hackers were inside our systems and therefore had the capacity to copy and export it. To our knowledge the information has not been published or traded at this time. It is also important to share that we believe that no data was deleted and we are working on interim solutions for Red Cross and Red Crescent teams to continue supporting families separated from or without news from their loved ones.

5. What information did the hackers have access to?

The breach included personal data such as names, locations, and contact information of more than 515,000 people from across the world. The people affected include missing people and their families, unaccompanied or separated children, detainees and other people receiving services from the Red Cross and Red Crescent Movement as a result of armed conflict, natural disasters or migration. Login information for about 2,000 Red Cross and Red Crescent staff and volunteers who work on these programs has also been breached. No other information at the ICRC was compromised due to the segmentation of the systems.

6. There are reports that information is now for sale on the dark web. Have you investigated those and what have you found?

We have a dedicated team who are following any reports we receive of data being available on the dark web. Right now, we do not have any conclusive evidence that this information from the data breach has been published or is being traded. If we determine that one of these reports is genuine, we will share this information publicly and transparently.

7. Who are we working with?

We have partnered with highly specialised firms to help us with this, and the Red Cross and Red Crescent network is in contact with the competent national authorities.

8. How does this impact our work?

Every day, the Red Cross and Red Crescent Movement helps reunite 12 people with their families. Cyber-attacks like this jeopardise that essential work. As a result of this breach, we have been forced to take the data hosting systems in question offline, severely limiting the humanitarian services we can offer to the over half a million people affected. States have mandated impartial humanitarian organizations, such as the ICRC, with specific responsibilities. These include collecting information on people reported missing in order to reconnect separated family members. We need a safe and trusted digital humanitarian space in which our operational information, and most importantly the data collected from the people we serve, is secure. This attack has violated that safe digital humanitarian space in every way.

9. What impact could this have on people's confidence and trust in the ICRC to protect their personal data?

A significant impact, and this is one of our greatest concerns. This cyber-attack could cost us the trust of people we serve to share with us data we need to be able to help them. The data that was breached was collected by Red Cross and Red Crescent societies across the world with the aim of helping some of the most vulnerable reconnect with their families or find a missing loved one. We cannot do this work across countries and oceans without sharing data across the Red Cross and Red Crescent Movement. This work is mandated by States and we are not able to do it without people having the faith and confidence in us to share this information to help find them answers.

10. How could this data be used to cause harm?

We do not wish to speculate on any possible misuse of this data. However, it is important to remember that this data was collected to enable the Red Cross and Red Crescent Movement to trace and track missing people. If misused or in the wrong hands, it could potentially be used by States, non-state groups, or individuals to contact or find people to cause harm. This hack undermines peoples' privacy and safety as well as the Red Cross and Red Crescent Movement's humanitarian protection and assistance operations.

11. Why did we outsource personal and confidential data to a third-party supplier?

We chose this company and have them as a longstanding supplier because they have the same rigor and standards as we would for any servers hosted in-house. We want to reiterate that this was a direct attack on ICRC servers, not the company that hosted them.

12. What systems were in place to prevent an attack like this from happening?

We at the International Committee of the Red Cross have been warning for years of an increase in cyber-attacks on health-care facilities, as well as our increasing concern about data protection in humanitarian situations. We have been long aware of the danger that our data could one day be the target of an attack. We have invested substantially in cyber security and work with trusted partners to maintain high standards of data protection and systems. We have also invested in systems to help us detect any suspicious activity, which is how we came to know of this cyber-attack. To ensure we have professional cyber-defense, we contract an external company each year to audit our systems. However, this attack shows that these systems are not immune from highly sophisticated cyber operations and we want to reiterate that it is crucial that data collected and stored for humanitarian purposes is not the target of attack.

13. What should I do if I think my data might have been accessed in the cyber-attack?

For anyone concerned about their data, please contact your local Red Cross or Red Crescent national society or the International Committee of the Red Cross office in your own country. We know you entrusted us with personal information and details about often traumatic events in your lives. This is not a responsibility we take lightly. We want you to know we are doing everything we can to restore the services that we offer across the world. We will work hard to maintain your trust so we can continue to serve you.

25Jan22

Cyber-attack on ICRC: What we know

[Source: CICR, Switzerland, Latest update as of 25Jan22]

Informations
Bookshop \| Donate Derechos \| Equipo Nizkor