World Food Programme Data Breach Exposes 600,000 Gaza Households

A cyberattack on the United Nations' World Food Programme has compromised the personal data of approximately 600,000 Palestinian households in Gaza. The World Food Programme data breach, which the agency confirmed on June 2, is believed to be the largest known breach of humanitarian beneficiary data on record. Attackers accessed the WFP's self-registration application on May 14, and affected individuals did not receive notification until 17 days later.

What the Attackers Accessed

The compromised system is the WFP's Self-Registration Application (SRA) for Palestine, the platform Palestinians use to enrol for food and cash assistance after identity verification. Unauthorised parties gained access to the data stored within it, walking away with names, ID numbers, mobile phone numbers, and location data including neighbourhood-level details recorded at the point of registration.

The WFP confirmed the breach does not affect SCOPE, its broader global beneficiary identification and transfer management system. The SRA breach was contained to the Palestine-specific registration platform. Still, the volume and sensitivity of the exposed records places this incident in a category of its own.

A Warning That Came Too Late

Two days before the breach, an anonymous expert contacted WFP's beneficiary feedback mechanism with a warning. The individual had identified security vulnerabilities in the SRA platform and flagged them to the agency. WFP's Palestine country team passed the warning up to the Rome headquarters, where the cybersecurity team assessed the issue and indicated it had been resolved. The attack came 48 hours later.

WFP has not disclosed how the attacker gained access, and no threat actor has claimed responsibility. The investigation remains ongoing.

Why This Data Carries Exceptional Risk

In most data breaches, the primary concern is fraud, identity theft, or phishing. This incident carries those risks and others that are specific to the context. The data belongs to aid recipients in an active conflict zone. Location details tied to individual ID numbers, in Gaza, represent a category of exposure that goes beyond financial harm.

WFP provides food parcels, hot meals, bread, and cash assistance to roughly 1.6 million people in Gaza every month. More than 2 million people had submitted personal information to the SRA. The records that were taken are not abstract data points. They describe where specific individuals live and who they are.

The agency was aware of this sensitivity. A 2017 internal audit flagged that WFP needed significant improvement in how it safeguarded beneficiary data. Progress was made in the years that followed, but this breach demonstrates that critical gaps remained.

WFP's Response

The WFP temporarily suspended the SRA platform after discovering the intrusion and confirmed as of Tuesday that it remained offline while security improvements are implemented. The agency published a Telegram message reassuring registered beneficiaries that their assistance would continue without interruption and that they did not need to re-register.

The agency also warned beneficiaries to be cautious of anyone claiming to represent the WFP while requesting personal information or money, and advised against clicking suspicious links or messages. That warning points directly to the secondary threat that follows a breach of this kind: targeted phishing and impersonation campaigns against people who already have limited ability to verify who they are communicating with.

A Pattern Across UN Agencies

The WFP is not the first UN body to suffer a significant breach, and the pattern across the organisation is worth noting. In 2019, a cyberattack hit the UN's Geneva offices and went undisclosed. The UN Environment Programme later exposed the personal data of more than 100,000 employees. In 2024, the UN Development Programme was struck by an 8Base ransomware attack, and the UN International Civil Aviation Organization confirmed attackers had stolen approximately 42,000 records from a recruitment database.

Each of those incidents prompted internal reviews and pledges of stronger controls. The WFP breach, especially given the pre-attack vulnerability warning, raises questions about whether those commitments translate into consistent operational security practice across the organisation's decentralised structure.

Humanitarian Organisations as Targets

The WFP incident fits a broader trend. Digital security researchers have noted for several years that humanitarian organisations collect large volumes of sensitive personal data while operating under resource constraints that limit their ability to secure it. A 2022 cyberattack on the International Committee of the Red Cross exposed sensitive data belonging to more than 515,000 people. The Norwegian Refugee Council reported a similar attack the following year.

These organisations hold data on some of the most vulnerable populations in the world. That makes them targets. The WFP breach serves as a reminder that the data protection obligations of humanitarian agencies are not a secondary concern. They are central to the safety of the people those agencies exist to serve.