Image: Kaga Tau (CC BY-SA 4.0)
The United Nations’ World Food Programme (WFP), the world’s largest humanitarian organization, revealed over the weekend that its self-registration application (SRA) for Palestine was breached.
The WFP disclosed the incident in a Sunday Telegram message, saying that the self-registration application used for assistance registration in Gaza had been breached.
During the breach, the attackers gained access to personal data belonging to beneficiaries across the Gaza Strip, including affected individuals’ names, ID numbers, phone numbers, and location information (such as neighborhood data recorded during registration).
“You do not need to update, delete, or re-register your information. If you are already registered, you will remain part of the WFP assistance programs. Food, cash, and other assistance will continue as normal, and you will continue to receive assistance,” the organization said. “The Registration Platform (SRA) has been temporarily suspended to implement urgent security and system protection improvements. The Programme is currently investigating the incident and is continuously monitoring the situation.”
In a Tuesday update, the WFP added that the registration platform was still temporarily down while it continues to strengthen security measures.
While the humanitarian organization has yet to publicly disclose the number of individuals whose data was stolen in this incident, the WFP said in a statement shared with The New Humanitarian that the attackers breached its systems on May 14 and that they stole the information of people in roughly 600,000 Palestinian households in Gaza.
Over the weekend, the WFP also warned Palestinian beneficiaries to “be wary of anyone claiming to represent the World Food Programme and requesting information or money” and not click or open any suspicious links or messages.
A World Food Programme spokesperson was not available for comment when contacted by BleepingComputer earlier today for more details.
Founded in 1961 and headquartered in Rome, Italy, the WFP is a UN agency funded by donations from governments, corporations, and private donors, and working to combat global hunger and provide emergency food relief during humanitarian crises.
The WFP has over 20,000 staff in over 120 countries and territories and operates the largest humanitarian logistics network on the planet, with 5,000 trucks, 20 ships, and around 80 aircraft delivering emergency assistance at any given time.
In 2024, it disbursed US$2.82 billion in financial assistance and delivered approximately 2.5 million metric tons of food to millions of people worldwide.
This isn’t the first data breach affecting a United Nations agency in recent years. For instance, the United Nations itself failed to disclose a cyberattack that affected its Geneva offices in August 2019, and five years ago, the UN’s Environmental Programme (UNEP) exposed the personally identifiable information (PII) of over 100,000 employees.
More recently, in 2024, an 8Base ransomware attack hit the UN Development Programme (UNDP), and attackers stole approximately 42,000 records from a recruitment database belonging to the UN International Civil Aviation Organization (ICAO).
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
