ICRC cyber-attack: Sharing our analysis
One month has passed since we at the International Committee of the Red Cross (ICRC) determined that servers hosting personal data belonging to more than 515,000 people worldwide had been hacked.
Our teams have been working as hard as they can to understand how this attack happened, its ramifications, how we can improve our security systems, and how to communicate the facts of this deplorable situation to the people we are entrusted to protect and assist.
We feel it is our responsibility as a humanitarian organisation accountable to our partners and the people we serve to share what we can about this unacceptable attack.
Today we are sharing additional information about this hack as part of our firm commitment to the people we seek to protect and assist. It is one way in which we are striving to earn their continued trust.
Let me first underscore an established fact: this was a sophisticated attack – a criminal act – breaching sensitive humanitarian data. We know that the attack was targeted because the attackers created code designed solely for execution on the concerned ICRC servers, a technique we believe was designed to shield the hackers´ activities from detection and subsequent forensic investigations.
The hackers took advantage of a vulnerability that none of our cyber-defence systems detected, and once inside our network deployed techniques to disguise themselves as legitimate users. When this infiltration was identified, we made immediate changes to some of our processes and tools, and we are speeding up the activities already planned as part of our cyber security enhancement programme.
Sharing such information is not a comfortable exercise, but I believe it is only by being transparent about our challenges that we can learn from them and improve our policies and practices.
We are working hand in hand with our Red Cross and Red Crescent National Society partners around the world on ways we can best inform people whose data was breached. Our primary concern is to mitigate the risks they may face. We are doing this through phone calls, hotlines, public announcements, letters and in some cases in-person visits to remote communities.
Those affected include missing people and their families, detainees and others receiving services from the Red Cross and Red Crescent Movement as a result of armed conflict, natural disasters, or migration. We have managed to ensure that the vital work of locating missing family members has continued, albeit at minimal service levels, through low-tech solutions (using simple spreadsheets, for example), while we work toward resuming full service with enhanced security features.
Working in natural disasters and across conflict frontlines brings with it real risk. The Movement's neutral and impartial approach is vital to be able to work safely in such environments. We liaise with government authorities and armed groups to minimise the dangers faced by our Movement's staff and volunteers, medical facilities, vehicles and other physical assets. We have the same approach in the digital world as in the physical one – and we must not be a target in either.
It is our hope that this attack on vulnerable people's data serves as a catalyst for change. We will now strengthen our engagement with states and non-state actors to explicitly demand that the protection of the Red Cross and Red Crescent Movement's humanitarian mission extends to our data assets and infrastructure. We believe it is critical to have a firm consensus – in words and actions - that humanitarian data must never be attacked.
Let me close by saying the following to the people we assist and to our partners in the Red Cross and Red Crescent Movement, who entrust us with their data: I deeply regret that your data was breached in this unacceptable attack. I pledge that we will do everything in our power to further enhance the protection of our data today and in the future and, crucially, to press for the protection of humanitarian action in the digital space.