A cyber-attack targeting the World Food Program has exposed sensitive personal information belonging to some 600,000 households in Gaza, the UN’s food agency has confirmed, in what may be the largest-known breach of humanitarian beneficiary data to date. WFP is investigating a “security-related incident” in which “unauthorized actors” accessed personal information submitted by Palestinians in Gaza, the agency said in a statement sent to aid recipients via Telegram on May 31. The exposed information included names, ID and mobile numbers, and location data, the statement said.
WFP confirmed the data breach on June 2. “WFP recently detected unauthorized access of its self-registration application (SRA) for Palestine, where individuals are able to register to receive food and cash assistance after verification,” a spokesperson said in a statement responding to questions from The New Humanitarian. “WFP took immediate action to shut down the platform, contain the intrusion, and strengthen its security controls to prevent further exposure.”
More than 2 million people in Gaza have submitted their personal information to WFP’s self-registration application, known as People Portal, which the WFP credits for cutting registration red tape and response times. The spokesperson said the compromised data is “isolated to the SRA application used only in Palestine.”
An investigation is under way, and no party has claimed responsibility, WFP said.
WFP said the cyber-attack occurred on May 14. The Telegram message to affected Gazans was sent 17 days later.
Digital security experts say aid groups are increasingly the target of sophisticated hacks and cyber-attacks. In one of the largest previously known breaches of humanitarian data, sensitive personal information belonging to 515,000 people was exposed in a 2022 hack targeting the International Committee of the Red Cross. The following year, the Norwegian Refugee Council said a cyber-attack hit a database containing info on thousands of project participants in one country. In the past, the UN has also come under fire for failing to disclose cyber-attacks.
The Gaza breach also spotlights data practices at WFP, which is consistently the world’s largest humanitarian agency, based on volume of funding.
The agency has long sought to grow its global beneficiary ID management programme, known as SCOPE. A 2021 auditnoted that 63.8 million “identities” were registered in SCOPE, including some 20 million beneficiaries that were “actively managed.” At the time, SCOPE was used in 80% of the countries where WFP had a presence. An earlier 2017 audit said the agency needed major improvement in how it safeguarded beneficiary data.
WFP has previously said it intended a full rollout of SCOPE in Palestine in 2026. The agency said the May data breach did not affect SCOPE or other data management systems.
WFP has also come under fire for its relationship with Palantir, the US military contractor and big data analytics firm that is also highlighted in the “economy of genocide” UN rights report naming companies accused of sustaining Israel’s occupation of Palestine. Humanitarian organizations risk losing their protection under international law by partnering with military-linked technology companies, according to Access Now, a digital rights advocacy group that has documented the WFP-Palantir relationship.
WFP says its Palantir partnership backstops DOTS, a platform that combines data across systems.
A 2022 audit of WFP’s Palestine operations said risks related to personal data collection had not been assessed or mitigated due to limited internal technical capacity.
From The New Humanitarian, June 2, condensed.
Photo: Mohammed Nateel/UNICEF via UN News
