UN food agency data breach hits 600,000 Gaza households

▼ Summary
– The World Food Programme’s self-registration application for Gaza was breached, exposing personal data of beneficiaries.
– Attackers stole names, ID numbers, phone numbers, and location information from roughly 600,000 Palestinian households.
– The registration platform was temporarily suspended to implement security improvements, and assistance programs continue as normal.
– WFP warned beneficiaries to be wary of scammers requesting information or money and to avoid suspicious links.
– This breach follows other recent cyberattacks on UN agencies, including the UNDP and ICAO in 2024.
Over the weekend, the United Nations World Food Programme (WFP) confirmed a data breach affecting its self-registration application (SRA) for Palestine, compromising the personal information of hundreds of thousands of Gaza households. The incident, disclosed via a Telegram message on Sunday, exposed sensitive data including names, ID numbers, phone numbers, and location details such as neighborhood registration records.
The WFP assured beneficiaries that no action is required regarding their registration. “You do not need to update, delete, or re-register your information. If you are already registered, you will remain part of the WFP assistance programs. Food, cash, and other assistance will continue as normal, and you will continue to receive assistance,” the organization stated. The registration platform has been temporarily suspended to implement urgent security improvements, and the WFP is actively investigating the breach while monitoring the situation.
In a Tuesday update, the WFP confirmed that the platform remains offline as security measures are strengthened. Although the agency has not publicly specified the exact number of affected individuals, it shared with The New Humanitarian that attackers accessed the system on May 14, stealing data from roughly 600,000 Palestinian households in Gaza.
The WFP also warned beneficiaries to remain vigilant against potential scams, advising them to “be wary of anyone claiming to represent the World Food Programme and requesting information or money” and to avoid clicking suspicious links or messages. A WFP spokesperson was not available for comment when contacted by BleepingComputer earlier today.
The WFP, founded in 1961 and headquartered in Rome, is a UN agency funded by government, corporate, and private donations. It operates the world’s largest humanitarian logistics network, with over 20,000 staff across 120 countries, 5,000 trucks, 20 ships, and around 80 aircraft delivering emergency aid. In 2024, the agency disbursed US$2.82 billion in financial assistance and distributed approximately 2.5 million metric tons of food globally.
This breach is not an isolated incident for the United Nations. In August 2019, the UN itself failed to disclose a cyberattack affecting its Geneva offices. Five years ago, the UN Environmental Programme (UNEP) exposed the personally identifiable information (PII) of over 100,000 employees. More recently, in 2024, an 8Base ransomware attack hit the UN Development Programme (UNDP), and attackers stole roughly 42,000 records from a recruitment database belonging to the UN International Civil Aviation Organization (ICAO).
(Source: BleepingComputer)




