New Zealand Red Cross Investigating Data Security In International Committee Of The Red Cross Privacy Breach
On 20 January 2022 (NZT 6:08am) New Zealand Red Cross
were advised by the International Committee of the Red Cross
(ICRC) that on the morning of 18 January 2022, they learned
the ICRC Central Tracing Agency systems had been exposed to
a highly
sophisticated Cyber Security incident and
Personal Data Breach.
ICRC immediately suspended all access to the Central Tracing Agency systems to stop the attack and protect the information. ICRC has engaged an external specialist firm offering technical guidance. ICRC immediately implemented mandated regular password changes for user logins.
ICRC is unsure of the motivations of the attackers. There is evidence that UserID information and passwords were extracted, however there is no evidence yet of operational and personal data being accessed, extracted or manipulated. Without knowing the motives, it is difficult to estimate the potential and likelihood the harm that this breach has caused.
The categories of persons affected by the breach consist of National Society staff end-users and, most likely, missing persons, separated persons, families of separated and missing persons, accompanying persons, persons in detention, interlocutors and any other persons may have collected and stored personal information in these applications. This is particularly disturbing for families in sensitive situations.
Sarah Stuart-Black, Secretary General New Zealand Red Cross said, “That following being notified of this privacy breach by ICRC, New Zealand Red Cross has taken action to ensure all NZRC users who have access to the compromised system(s) have changed their passwords.”
Ms Stuart-Black confirmed “Whilst NZRC’s data is housed geographically separate from that of the compromised systems, we are employing effective security to monitor and alert for any suspicious events. Over the previous 18 months NZRC has implemented a range of enhancements to our ICT systems due to the increasing threat of Cyber Security attacks. The data related to the Restoring Family Links service is hosted separately by ICRC – this data may have been exposed in this event. We are monitoring the situation closely.”
NZRC continues to monitor the situation closely and is working with ICRC to put in place measures to protect our systems and data. ICRC have advised that access to the Central Tracing Agency systems will not resume until there is assurance that the data is secure.
NZRC will be ready to respond quickly to inform those that could be impacted as soon as we have access to that information.
To the best of NZRC knowledge at this time, our information has not been tampered with and is intact.
NZRC has notified the Office of the Privacy
Commissioner.