ICRC Cyber Attack is Our Constituent Data Management Nightmare

⇓ More from ICTworks

ICRC Cyber Attack is Our Constituent Data Management Nightmare

By Wayan Vota on January 26, 2022

ingo cyber attack

A sophisticated cyber security attack against International Committee of the Red Cross (ICRC) servers last week exposed sensitive personally identifiable information of 515,000 people in the Restoring Family Links program that seeks to reunite family members separated by conflict, migration, disaster, or detention.

The ICRC cyber attack is our collective constituent data management nightmare. Not unique, not isolated, and not unexpected.

We Are All Cyber Attack Targets

As Linda Raftree says, the ICRC has some of the best data policies, practices, and data protection staff in the international aid sector. In addition, they announced almost immediately that they had been hacked and the extent of the data breach. They put constituent harm reduction ahead of organizational reputation.

That transparency is rare in development. IntraHealth International was hacked in 2018, and staff were locked out of the IT systems for days. Yet Intraheath never said a word publicly. This very site, ICTworks, was hacked in 2015 and 2021, but we kept quiet. Luckily, neither hack involved PII or risked sensitive constituent data. Your organization was probably hacked recently too, yet where was its ICRC-level of transparency?

The harsh reality is that we should all be calculating our cyber threat model.

We All Fail at Data Minimization

As Amos Doornbos says, we should really be practicing data minimization. Only collecting the absolute minimum data we need to do our work, giving people real opt-out options, and then ensuring we use that data responsibly, and de-identifying, aggregating or deleting it afterwards. A practice we’ve been recommending for years, yet largely ignored.

Sadly, data minimization in aid looks to be a failure.

Powerful actors in the development-industrial complex – major donors, technology providers, national governments, organizational leaders – ask for more data, faster data, exact data to create a mythical “data-driven development” revolution.

Humanitarian organizations now collect massive amounts of personally identifiable data, sensitive health and location data, and concentrate that data in larger databases for monitoring and evaluation activities. We should ask ourselves:

Do our constituents know what we collect?
Can they realistically opt-out?
Do development organizations and donors actually use the data they collect?

We have a moral obligation to be responsible data stewards.

We All Fail at Data Protection

We always hear about exciting data collection processes and innovative data analysis approaches. Where is the equal fanfare about their corresponding data collection compliances, data security practices, and data protection investments?

Data protection is a sector wide challenge at systemic and organizational levels. We need equal priority, funding, and staffing for data security as we give to fancy dashboards. A recent NetHope cybersecurity report found that most NetHope Members are conscious of cyberthreats, but their information security activities are reactive, inconsistent, and ad-hoc in response to attacks.

For example, ICRC has resources and ability to manage data and applications on third-party servers. Yet this targeted, direct cyber-attack on ICRC servers, allowed hackers to access sensitive data. How many other organizations store data in the cloud? What are their data protection processes in storing, analyzing, or transmitting data?

Does your organization have standardized responsible data protocols? Do staff really follow them? Or not so much? Sadly, we all know that someone who freely passes around vulnerable people’s PII in big unencrypted Excel files on flash drives or in emails. Maybe that someone is us. We need to stop that, as individuals and a professional community.

We Must Institute Responsible Data Practices

Cybersecurity is a development challenge. A data breach at ICRC shows there are data breaches everywhere. We just don’t talk about them. That perpetuates our collective constituent data management nightmare.

As Linda concludes, constituent data cyber attacks will continue to happen, with more frequency and scale. We need to increase attention and funding for good data practices that we know can mitigate harm:

Data minimization
Privacy by design
Active & informed consent
Resourced & secure data systems
Well-trained staff at all levels

We must publicly identify threats, expose known bad actors, and share tactical knowledge about critical data incidents across the global humanitarian sector. In short, it is time to move forward with responsible data practices.

By Wayan Vota with inspiration and input from Linda Raftree.

Now Read These Related Posts

Filed Under: Data, Featured
More About: Cyber Attack, Cyber Threats, Cybersecurity, data management, Data Minimalism, Data Privacy, data protection, Data Security, ICRC, Responsible Data, Threat Model

Written by Wayan Vota

Wayan Vota co-founded ICTworks. He also co-founded Technology Salon, MERL Tech, ICTforAg, ICT4Djobs, ICT4Drinks, JadedAid, Kurante, OLPC News and a few other things. Opinions expressed here are his own and do not reflect the position of his employer, any of its entities, or any ICTWorks sponsor.

One Comment to “ICRC Cyber Attack is Our Constituent Data Management Nightmare”

Saadaldin Issa mohamed says:

February 19, 2022 at 1:23 pm

Thanks

About Us

ICTworks™ is the premier resource for international development professionals committed to utilizing new and emerging technologies to magnify the intent of communities to accelerate their social and economic development.

ICTworks