Red Cross begs attackers to "Do the right thing" after family reunion service compromised

Red Cross begs attackers to “Do the right thing” after family reunion service compromised

Restoring Family Links is a program most commonly associated with The Red Cross. It’s been around since 1870, and aims to reunite lost family members, repatriate individuals, prevent folks from disappearing, and much more. You may have seen them in the news during times of disaster, war, and other situations necessitating some form of international aid.

Sadly, someone has compromised a large chunk of data related to the Restoring Family Links program and nobody knows what they intend to do with it.

Unauthorised access of data

In an attack billed as “sophisticated”, personal and confidential data related to no fewer than 515,000 people has been pilfered by unknown attackers. Those impacted may be victims of disaster, conflict, or detention.

According to the ICRC (International Committee of the Red Cross), the data originated from “at least 60 Red Cross and Red Crescent National Societies around the world”. The plundering itself took place from an “external company” located in Switzerland contracted to manage the data by the ICRC.

The impact of the attack is already being felt. Should you visit the Restoring Family Links page at this time, you’ll see it’s down for maintenance. The whole program’s systems have been shut down while they figure out what exactly has happened, and which bits of their network are still insecure.

As the ICRC notes, an average of 12 missing people a day are reunited with their families. Humanitarian work such as this can have potentially fatal consequences if interfered with so the stakes here are very high indeed.

Under attack (again)

The Red Cross/ICRC have had a number of run-ins with hacks and leaks in the past. For example, 555,000 people had their details leaked in 2016 when Red Cross Australia blood donor information was accessed by someone without permission. In 2019, it happened again in Singapore but on a much smaller scale.

The ICRC takes this subject very seriously, to the extent there’s a handbook on data protection in humanitarian action. We don’t know yet how this aligns with whatever has happened at the external data host, however.

From untargeted to very targeted…

During the Japan tsunami and earthquake of 2011, a huge volume of scam attacks sank their claws into the disaster. We saw fake missing relative notices, bogus Red Cross websites, fake charity donation sites, 419 scams, and even radiation health e-books.

They all tried to exploit a crisis, but it was primarily very general and untargeted.

This breach could have severe consequences for both people in the data and those related to them. The pilfered details could be used for all manner of scam attempts. Phishing, social engineering, blackmail, fraud: all of these things and more could be in the running. Highly targeted, with a potentially very good chance of succeeding. Sensitive information could make its way to Governments who don’t have the best interest of those named at heart.

The humanitarian world holds its breath

We don’t know what’s going to happen to the compromised data. There’s a real worry it could simply be tossed out into the ether. As the ICRC put it:

Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.

Will they do the right thing? Unfortunately, we could be in for a long wait to find out.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.