Red Cross Begs Attackers Not to Leak Stolen Data for 515K People

A cyberattack forced the Red Cross to shut down IT systems running the Restoring Family Links system, which reunites families fractured by war, disaster or migration. UPDATE: The ICRC says it’s open to confidentially communicating with the attacker.

The Red Cross is imploring threat actors to show mercy by abstaining from leaking data belonging to 515,000+ “highly vulnerable” people. The data was stolen from a program used to reunite family members split apart by war, disaster or migration.

“While we don’t know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them,” Robert Mardini, the director general of the International Committee for the Red Cross (ICRC), said in a release on Wednesday. “Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”

The attack forced the ICRC, along with the wider Red Cross and Red Crescent network, to shut down the systems underpinning the Restoring Family Links site. That action also crippled the humanitarian network’s ability to reunite separated family members, the release said.

Password Management WebinarAs of Thursday morning, the site was still down.

As Ars Technica has reported, the Internet Archive last updated the Restoring Family Links site on Dec. 27, suggesting that the breach may have happened around then.

012122 04:46 UPDATE: As of Friday afternoon, the site was still down, and the ICRC had posted a Q&A about the incident. The organization emphasized that this was “a targeted, direct cyber-attack on ICRC servers, not the company that hosted them.” The servers in question are hosted at a company in Switzerland that the ICRC didn’t identify.

ICRC’s Up for Talking to Unknown Attackers

The ICRC doesn’t know who’s behind this attack. Its Friday release reiterated that it hasn’t been contacted by any ransomware gangs. It is, however, open to discussing the situation with the marauders. “We have not had any contact with the hackers and no ransom ask has been made. In line with our standing practice to engage with any actor who can facilitate or impede our humanitarian work, we are willing to communicate directly and confidentially with whoever may be responsible for this operation to impress upon them the need to respect our humanitarian action,” according to Friday’s Q&A.

The compromised data, which originated from at least 60 Red Cross and Red Crescent National Societies around the world, included personal data and confidential information for those who’ve used the Restoring Family Links site.

The attack compromised personal data such as names, locations, and contact information of the more than 515,000 affected people from across the world: over half a million people including  missing persons and their families, unaccompanied or separated children, detainees and other people receiving services from the Red Cross and Red Crescent Movement as a result of armed conflict, natural disasters or migration.

As well, login information for about 2,000 Red Cross and Red Crescent staff and volunteers who work on the family restoration programs was also compromised. The ICRC said that no other information was compromised due to system segmentation.

So far, as of Friday, there was still no sign that the compromised data has been leaked or shared publicly, according to the ICRC.

What Harm Could the Breach Lead to?

The ICRC pointed out that the data was collected to enable the Red Cross and Red Crescent Movement to trace and track missing people: in other words, data that could be used to track  down, abuse or persecute them. “If misused or in the wrong hands, it could potentially be used by States, non-state groups, or individuals to contact or find people to cause harm,” the ICRC said. “This attack is an extreme violation of their privacy, safety and right to receive humanitarian protection and assistance.”

As well, one of the ICRC’s most significant concerns is that it will lose the trust of those who need humanitarian help and to whom it’s dedicated to serving. “The data that was accessed was collected by Red Cross and Red Crescent societies across the world with the aim of helping some of the most vulnerable reconnect with their families or find a missing loved one,” the humanitarian network said. “We cannot do this work across countries and oceans without sharing data across the Red Cross and Red Crescent Movement. This work is mandated by States and we are not able to do it without people having the faith and confidence in us to share this information to help find them answers.”

‘Appalling,’ ‘Perplexing’ Attack

Mardini said that the attack sharpens the anguish that families are already suffering.

“An attack on the data of people who are missing makes the anguish and suffering for families even more difficult to endure,” he said in the release. “We are all appalled and perplexed that this humanitarian information would be targeted and compromised. This cyberattack puts vulnerable people, those already in need of humanitarian services, at further risk.”

Red Cross spokesperson Elizabeth Shaw told CNN that the top priority is to work with ICRC delegations, and Red Cross and Red Crescent societies on the ground, “to find ways to inform individuals and families whose data may have been compromised, what measures are being taken to protect their data and the risks they may possibly face.”

She also ruled out the possibility of ransomware having been involved in the incident and said that “highly specialized” cybersecurity firms are helping the ICRC to respond to the attack.

‘Straight for the Jugular’

Would that this attack were an anomaly. Unfortunately, cyberattackers haven’t shown strong moral compasses when it comes to waging attacks against the wretched.

The numbers make it clear: Check Point Software saw an increase of 71 percent in the number of cyberattacks on the healthcare sector in 2021, which works out to up to 830 weekly attacks.

Check Point spokesperson Ekram Ahmed told Threatpost on Thursday that healthcare is “one of the most-targeted industries by threat actors, according to our data.”

That won’t change in 2022: “We expect the trend of threat actors targeting healthcare organizations to only continue as we go into 2022,” Ahmed said.

The attack demonstrates the ruthlessness of cybercrime as a business, he said.

“Hackers show no mercy on healthcare or other such humanitarian targets, and the Red Cross is not alone here. Hacking groups are aware of the sensitivity of this data, and they see them as ‘fast-money targets,'” Ahmed observed via email. “Hospitals and healthcare organizations can’t afford to halt operations, as it could literally lead to life-or-death situations.”

The threat actors involved in the cyberattack on the Red Cross “went straight for the jugular,” he noted, going after the organization’s most sensitive data — an possibly seeking to create as much leverage as possible to secure an extortion payment.

Were the compromised data to be leaked, it could lead to “potentially devastating consequences for victims,” Ahmed continued. “The cyberattack on the Red Cross makes vulnerable people even more vulnerable, potentially forcing them to suffer longer and endure further pain.”

Darktrace director of enterprise security David Masson wished godspeed to the Red Cross when it comes to finding and securing the information quickly.

“While reputational damage will be a concern for an organization, it pales compared to the potential harm that may come to already highly fragile individuals and groups,” he told Threatpost on Thursday. “If the attackers do not return the data, then hopefully, the Red Cross receives the aid and support it needs to find and secure the information quickly, start delivering much-needed reassurance to those who rely on the organization, and get its ‘Restoring Family Links’ program back up and running soon.”

012122 17:10 UPDATE: Added material published by the ICRC in its Friday update.

Photo courtesy of American Red Cross/Talia Frenkel. Licensing details.


Suggested articles