The Red Cross was hit by a sophisticated cyberattack, which has affected the sensitive information of over 515,00 vulnerable people.

The attack forced the Red Cross to shut down IT systems that support “Restoring Family Links,” a program that reunites families separated by conflict, migration or disaster. The program helps reunite 12 missing people with their families on average, Robert Mardini, ICRC’s director-general, said. “This cyberattack puts vulnerable people, those already in need of humanitarian services, at further risk.”  

In addition, the Red Cross announced that hackers targeted an external company in Switzerland that the organization uses to store data, and the International Committee of the Red Cross had implored attackers not to share, sell, leak or use compromised information. “Your actions could potentially cause yet more harm and pain to those who have already endured untold sufferings... Please do the right thing. Do not share, sell, leak or otherwise use this data,” Mardini said. 

Saryu Nayyar, CEO and Founder, Gurucul, says, “This is an ugly attack on individuals and families by threat actors. Charitable organizations are at least as understaffed as enterprises when it comes to security personnel and resources.”

The ICRC has no immediate indications as to who carried out this cyberattack, and there is no indication that the compromised information has been leaked or shared publicly.

While some cybercriminal groups have rules to keep organizations like the Red Cross out of the line of fire, this isn’t a universally adopted position, says Tim Wade, Technical Director, CTO Team at Vectra. “This attack seems to have little financial gain for the cybercriminals behind it, but we’re increasingly seeing attacks that are just as much about disruption, fear and discrediting opposing ideologies instead of making money. Regardless of whether this was targeted or merely opportunistic, it’s clear that every organization faces some level of material cyberthreat today.”

When it comes to sensitive personal data, nothing is off-limits to cybercriminals, nor is any data low value, says Hank Schless, Senior Manager, Security Solutions at Lookout. “Depending on what data was stolen by the attackers, they could use it to carry out fraudulent activities online, blackmail the victims, or sell it to other malicious actors on the Dark Web.”

So, what can organizations learn from this attack? Schless explains, “It’s interesting that attackers went after an external company that stores data on behalf of the Red Cross. This is a fairly common tactic and exemplifies how third-party integrations present additional risk to any organization’s data. If you’re going to integrate with a third party, even if it’s through a simple API to store data, it’s critical to go through a full security review with the solution provider. Doing so on a regular basis will help mitigate the risk of your data mistakenly being leaked from an environment that’s out of your control. It’s also important to be able to understand how data is moving in and out of your infrastructure — both through automated processes and manual employee actions. This attack shows how threat actors have ways to indirectly attack any organization. With the broad adoption of the cloud, organizations of every type now have complex ecosystems of integrated solutions, which opens up countless avenues for unauthorized users to be able to access their sensitive data. 

“Data is no longer confined to your defined network perimeter. As employees, customers, and partners access that data from anywhere, there’s no guarantee of its security once it leaves your infrastructure. The current threat landscape has made it necessary for every organization to ensure its data loss prevention (DLP) capabilities are up to date. While DLP isn’t a new technology, the way it needs to be deployed now with so much cloud usage is far different from what it used to be when everything was on-premises. The ability to identify and classify sensitive data as well as apply the right level of encryption to it, even after it leaves your infrastructure, is key to mitigating the risk of data loss in today’s threat landscape,” Schless adds.