When the International Committee of the Red Cross (ICRC) announced that it had been targeted in a major hack on January 19, 2022, Nathaniel Raymond was dismayed but unsurprised. Raymond, a lecturer at the Jackson School of Global Affairs at Yale University and an expert in technology and human rights, has spent the better part of two decades lobbying the humanitarian sector to do more to secure the data it collects from the world’s most vulnerable people.
“What we see over and over again is that humanitarians are being expected to hold some of the most sensitive data in the world of the most vulnerable people in the world and have the resources of mall cops to protect against the cyber hacking equivalent of Delta Force,” Raymond told Rest of World.
The ICRC said that the hack compromised the data of more than 515,000 people who were part of its Restoring Family Links database, a program created to help people separated by migration and conflict find their family members. The data included peoples’ names, locations, and contact details from more than 60 ICRC sites around the world. The culprit has yet to be named, but humanitarian experts fear that it could be used by governments to target groups of people in exile, or by extortionists exploiting refugees’ vulnerability.
Meron Estefanos, a Swedish-Eritrean journalist and human rights activist, said that refugees looking to find their missing relatives are often targeted by criminals after putting their details on social media. “People would use that information and call people saying, Your loved one is in this place or that place. If you send me $10,000, $20,000, I’ll let you speak to your loved one,” Estefanos said. “Scammers would often search Facebook posts for missing people. And when your loved one is missing, you would love to believe anything, that that person is alive.”
The ICRC is the latest in a series of security breaches putting humanitarian data at risk. In 2019, the United Nations was the target of a hack that compromised servers, including its human rights office. In 2017, a company called Red Rose, which worked with large aid organizations, was exposed as having multiple security vulnerabilities. These issues, experts said, are partly the consequence of a mismatch between what humanitarian donors want and what they’re willing to pay for. They demand more and more data on what aid agencies are doing to help them to justify their spending, but they’re not willing to pay to keep that data secure.
“Most of the data we collect is to benefit us to continue to get funding rather than to actually provide direct support to folks whose data we are collecting,” Linda Raftree, a consultant who helps humanitarian organizations adopt new technology, told Rest of World. “If the donor is demanding that a particular type of data be collected but isn’t willing to fund the protection of that data, then that’s problematic.”
Humanitarian organizations have always needed to collect data to help them work, but the demands on them have increased, as donors — often governments or philanthropic foundations — demand more transparency over how their money is spent. They also often want to see their donations being used for direct program work rather than “overhead,” the fixed, unsexy administrative spending on staff and IT that keeps aid agencies running. Unfortunately, cybersecurity tends to fall into that category: an ongoing cost — necessary but not something that excites a donor.
“Maintenance is the hardest thing to get donors to invest in,” said Stuart Campo, team lead for data responsibility at the United Nations Office for the Coordination of Humanitarian Affairs (OCHA). “Even if they recognize the function of a platform or service, there has been this tendency to focus on the new shiny objects rather than sustaining something that has recognized value.”
Aid agencies, too, sometimes underestimate the risks they take on when they collect data, as well as the costs of storing it, and so they collect more than they need.
“Many organizations take a ‘more is better’ approach to data, gathering it without knowing why or what it would be used for,” Zara Rahman, deputy director of The Engine Room, a nonprofit that helps civil society organizations manage and use data. “That data can be a liability for them and put people at risk if malicious actors get hold of it.”
Experts who spoke to Rest of World said that the latest breach is particularly concerning, because the ICRC is one of the more careful and better resourced organizations in the humanitarian sector. It employs full-time IT staff, has minimized unnecessary data collection, and maintains clear, public policies about how the data from Restoring Family Links is used.
It has also been very transparent about its breach, despite the reputational and financial risks attached to acknowledging the hack. Robert Mardini, the ICRC’s director general, put out a public statement urging the hackers not to publish or sell the data. In an email to Rest of World, ICRC spokesperson Crystal Wells said that the organization is reaching out to those whose data was compromised in the hack, saying, “We encourage anyone who is concerned that they could have been impacted to contact their local Red Cross or Red Crescent Society or the ICRC.”
Raymond praised the ICRC’s openness and said that donors should encourage this level of honesty. Unlike banks and credit card companies, organizations like the ICRC are not mandated by laws to report a data breach. When the United Nations was hacked in 2019, it did not disclose the breach until it was reported by The New Humanitarian in 2020, and experts are worried that there could have been other breaches, leaks, and hacks that have gone unreported or unnoticed.
“If the ICRC, the organization that has invested the most, has trained the most, has developed the most doctrine, can be susceptible,” Raymond said, “then the question is what’s happening to other organizations where we don’t even know that the hacks are occurring?”