In a particularly low blow, a Red Cross cyberattack compromised personal data and confidential information of more than 515,000 highly vulnerable people.

The cyberattack was against computer servers hosting information held by the International Committee of the Red Cross (ICRC).

The attacker[s] compromised personal data of people separated from their families due to conflict, migration and disaster. They also compromised data of missing persons and their families, and people in detention. The data originated from at least 60 Red Cross and Red Crescent National Societies around the world.

The ICRC’s most pressing concern following this attack is the potential risks that come with this breach. The attacker[s] may share confidential information for people the Red Cross and Red Crescent network seeks to protect and assist, as well as their families.

“When people go missing, the anguish and uncertainty for their families and friends is intense,” the ICRC said in a release confirming the attack.

Who’s Behind Attack Remains Unknown

The ICRC has no idea who carried out this cyberattack. It targeted an external company in Switzerland that the ICRC contracts to store data. There is not yet any indication that the attacker[s] have leaked or shared compromised information.

Sam Curry is Cybereason’s CSO.

Cybereason’s Sam Curry

“The Red Cross and other nonprofit organizations are more vulnerable to cyberattack than other similarly sized organizations,” he said. “The nonprofit world may not have margins, but they are accountable to donors and backers for spending as high of a percent as possible of their funds on the mission.”

Every dollar spent on overhead or administration means a dollar not spent, for instance, on blood collection, storage and distribution, Curry said. It also means they have less money to attract the best and brightest for security positions.

“Having said that, those who answer the call to a nonprofit are often motivated not by money, and many have built excellent security shops,” he said. “It’s fair to say though that security at a nonprofit is playing the cyber game on the hardest difficulty level.”

All Data Is Valuable

Archie Agarwal is founder and CEO of ThreatModeler.

Threatmodeler’s Archie Agarwal

“Organizations may not see themselves as targets because they don’t have the revenue of a Fortune 500 company, but may still be ripe targets because of the cache of data they own,” he said. “Perhaps attackers thought personal information of a half-million individuals the Red Cross serves was valuable because these victims might be less able to defend themselves when compromised. Perhaps the ICRC’s supplier simply had publicly accessible systems with obviously poor hygiene and were a target of opportunity.”

Threat modeling can help organizations think like these attackers, Agarwal said. They can understand what assets an adversary may value and imagine how they might get access to them.

“Having done so, organizations can evaluate what ends potential adversaries would be willing to go to obtain such data, and design appropriate controls to keep those data protected,” he said.

More than Just Financial Gain

Tim Wade is technical director of Vectra’s CTO team.

Vectra’s Tim Wade

“While some cybercriminal groups have rules to keep organizations like the Red Cross out of the line of fire, this isn’t a universally adopted position,” he said. “This attack seems to have little financial gain for the cybercriminals behind it. But we’re increasingly seeing attacks that are just as much about disruption, fear and discrediting opposing ideologies instead of making money. Regardless of whether this was targeted or merely opportunistic, it’s clear that every organization faces some level of material cyber threat today.”

Hank Schless is Lookout‘s senior manager of security solutions.

Lookout’s Hank Schless

“With few details about the nature of the attack itself, aside from confirming that it wasn’t a ransomware attack, it’s difficult to nail down the intentions of the actor,” he said. “However, when it comes to sensitive personal data, nothing is off limits to cybercriminals nor is any data low value. Depending on what data was stolen by the attackers, they could use it to carry out fraudulent activities online, blackmail the victims or sell it to other malicious actors on the dark web.”

Fairly Common Tactic

It’s interesting that attackers went after an external company that stores data on behalf of the Red Cross, Schless said. This is a fairly common tactic and exemplifies how third-party integrations present additional risk to any organization’s data.

“If you’re going to integrate with a third party, even if it’s through a simple API to store data, it’s critical to go through a full security review with the solution provider,” he said. “Doing so on a regular basis will help mitigate the risk of your data mistakenly being leaked from an environment that’s out of your control. It’s also important to be able to understand how data is moving in and out of your infrastructure — both through automated processes and manual employee actions.”

This attack shows how threat actors have ways to indirectly attack any organization, Schless said. With broad cloud adoption, organizations of every type now have complex ecosystems of integrated solutions. That opens up countless avenues for unauthorized users to be able to access sensitive data.

“The ability to identify and classify sensitive data, as well as apply the right level of encryption to it, even after it leaves your infrastructure, is key to mitigating the risk of data loss in today’s threat landscape,” he said.