Anatomy of a Breach

Anatomy of a Breach: The Red Cross — 515,000 Vulnerable People's Data Stolen from the World's Largest Humanitarian Organisation

> series: anatomy_of_a_breach —— part: 157 —— target: icrc_red_cross —— people: 515,000 —— data: conflict_victims_missing_persons_detainees<span class="cursor-blink">_</span>_

Hedgehog Security 31 January 2022 13 min read
red-cross icrc humanitarian vulnerable-people zoho unpatched series
Breach #157

515,000 of the world's most vulnerable people. Conflict victims. Missing persons. Detainees.

In January 2022, the International Committee of the Red Cross (ICRC) disclosed that a cyber attack had compromised the personal data of more than 515,000 people served by its Restoring Family Links programme — a service that reunites families separated by conflict, natural disaster, and migration. The stolen data belonged to some of the most vulnerable people on earth: victims of armed conflict, missing persons and their families, detainees, and people seeking protection.

The attack exploited an unpatched vulnerability in a Zoho ManageEngine server used by a third-party contractor hosting ICRC data. The attackers had been present in the system for approximately 70 days before detection. No group claimed responsibility, and the ICRC made a direct appeal to the attackers not to share, sell, or publish the data — noting that doing so would cause real harm to already vulnerable people. The ICRC Director General described the breach as 'an attack on the people and organisations that the Red Cross and Red Crescent Movement serves.'

Attacking the Vulnerable
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

When cybercrime targets people who have already lost everything.

Data of the Most Vulnerable
The stolen data belonged to people in the most precarious situations imaginable — separated families, conflict victims, detainees. For these individuals, data exposure creates risks far beyond identity theft: it can endanger physical safety, compromise refugee claims, or expose people to persecution. Data sensitivity must be assessed in context — and some data carries life-or-death consequences.
Unpatched Third-Party System
The breach originated from an unpatched Zoho ManageEngine vulnerability on a system managed by a third-party contractor — combining two recurring themes from this series: patching failures and supply chain risk. <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates 14-day patching. Our <a href="/vulnerability-scanning">vulnerability scanning</a> identifies unpatched systems. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> assesses third-party system security.
70 Days Before Detection
The attackers were present in the ICRC's systems for approximately 70 days before being detected. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the continuous monitoring that reduces dwell time from months to hours — even on systems managed by third parties.
Humanitarian Organisations Are Targets
The ICRC breach established that humanitarian organisations — which hold extraordinarily sensitive data about vulnerable populations — are cyber targets. For UK charities and NGOs, the lesson is direct: holding sensitive data about vulnerable people creates an obligation to protect it with proportionate security. <a href="/cyber-essentials">Cyber Essentials certification</a> provides the baseline. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides incident response.
Lessons

The most sensitive data demands the most rigorous protection.

The ICRC breach demonstrated that data sensitivity must be assessed in human terms, not just regulatory categories. For UK organisations holding data about vulnerable people — charities, social services, healthcare providers, refugee organisations — the obligation to protect that data is moral as well as legal. Cyber Essentials provides the baseline. Penetration testing validates controls. SOC in a Box monitors continuously. And UK Cyber Defence provides the incident response capability that minimises harm when breaches occur.

Protect the Vulnerable

The Red Cross held data on 515,000 of the world's most vulnerable people. It was stolen through an unpatched system.

<a href="/vulnerability-scanning">Vulnerability scanning</a> finds unpatched systems. <a href="/cyber-essentials">Cyber Essentials</a> mandates 14-day patching. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects intrusions.

Commission a Security Assessment Next: Russia-Ukraine Cyber Warfare
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 March 2026

Anatomy of a Breach: European Commission and Stryker — EU Government Cloud Attacked and Iran-Linked Group Hits Medical Technology

Breach #207. March 2026 brought attacks against both government and healthcare infrastructure. On 24 March, the European Commission disclosed that a cyber attack had struck the cloud infrastructure hosting the Europa web platform — with data taken from affected websites. The full scope remained under investigation. Separately, medical technology company Stryker experienced a significant cyber attack linked to an Iran-aligned hacktivist group. The attacks demonstrated that government cloud platforms and medical device manufacturers — both critical to the functioning of society — remain persistent targets for nation-state and hacktivist groups.

european-commission stryker
13 min read
Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 31 January 2026

Anatomy of a Breach: Match Group and Eurail — Dating Platform Intimacy and Passport Data Both Exposed

Breach #205. January 2026 opened with two breaches exposing the most personal categories of data. ShinyHunters claimed the theft of over 10 million records from Match Group — the parent company of Tinder, Hinge, and OkCupid — reportedly accessed via social engineering of Okta SSO access and downstream marketing tools. The leaked data allegedly included user IDs, IP addresses, subscription details, and internal corporate data. Separately, Eurail disclosed that attackers had accessed its environment and copied data including names, contact details, travel companion details, and passport information — numbers and expiry dates — for an undisclosed number of customers. Dating preferences and passport data: two categories of personal information that people expect to remain private.

match-group tinder
13 min read
All Posts Get in Touch