Cyber Incident Victim: International Committee of the Red Cross
Date:
Jan 2022
Location:
Switzerland
Summary
A cyberattack targeting a contractor for the International Committee of the Red Cross compromised personal data of over 515,000 vulnerable individuals enrolled in its Restoring Family Links program, which reunites families separated by conflict, migration, or disasters. The stolen information—collected globally through 60 Red Cross and Red Crescent societies—included highly sensitive details of at-risk populations, prompting urgent appeals to threat actors not to exploit the data. The organization confirmed no evidence of public data leaks but took critical systems offline during the investigation, severely disrupting humanitarian reunification efforts while the perpetrators remained unidentified.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 19, 2022, the International Committee of the Red Cross (ICRC) disclosed a cyberattack targeting a contractor responsible for storing data related to its Restoring Family Links program. The breach resulted in the theft of personal information belonging to 515,000 individuals seeking to reunite with family members separated by conflict, disaster, or migration. The compromised data had been aggregated from at least 60 Red Cross and Red Crescent National Societies worldwide, reflecting the program’s global humanitarian reach. While the specific nature of the cyberattack remained unconfirmed, the ICRC emphasized the extreme sensitivity of the exposed information, noting that affected individuals represented highly vulnerable populations already enduring significant trauma. No group claimed responsibility for the intrusion, and the ICRC stated it had no evidence indicating the stolen data had been leaked, sold, or publicly disseminated following the breach.
In response to the incident, the ICRC immediately shut down the Restoring Family Links program’s systems and website to contain further risks, an action that disrupted its core operations to locate missing persons and reconnect families. ICRC Director-General Robert Mardini publicly appealed to the unidentified threat actors, urging them not to publish, share, sell, or exploit the stolen data due to the profound additional harm it could inflict on victims. The organization emphasized the absence of political or military value in the compromised information, framing its appeal around humanitarian principles rather than technical or financial countermeasures. The prolonged system outage hindered the ICRC’s capacity to process new tracing requests or advance existing cases during the investigation, directly impacting displaced populations reliant on the service. The breach underscored systemic risks associated with third-party data handling in humanitarian operations while highlighting the ethical dilemma of targeting aid organizations.