We, the undersigned civil society organizations and experts, condemn in the strongest possible terms the cyberattack on the World Food Programme (WFP) that took place on May 14, 2026, exposing the personal data of 600,000 Palestinian households in Gaza, including their names, ID numbers, and location. While the full extent of the data breach remains unknown, including the actual number of impacted individuals, such exposure amid what has been repeatedly defined as a genocide carries grave risks for an already extremely vulnerable population. We urgently call on the WFP to be fully transparent about the details of this incident and to immediately take all possible measures to ensure that no further harm comes to the people linked to these datasets.
The WFP notified affected people 17 days later, on May 31, 2026, via Telegram, of the cyberattack against its Self-Registration Application (SRA) for Palestine, a digital portal through which displaced Palestinians can directly sign up for food and cash assistance for themselves and their families. On June 2, 2026, the agency stated in a follow-up message that it had temporarily disabled the app for the time needed to strengthen its cybersecurity and data protection measures. This delay not only falls short of best practices for breach notifications but also puts the safety of people at risk.
This incident, which has been described as “what may be the largest-known breach of humanitarian beneficiary data to date”, is yet another shocking reminder of the consequences of pervasive mass personal data collection by humanitarian actors in the name of faster aid delivery and cost efficiency. Following the 2022 hack of the ICRC server containing the personal records of hundreds of thousands of missing persons and their families, we expected the sector to recognize the gravity of the threats posed to their digital systems and reform accordingly. Instead, we register with concern the normalization of humanitarian data hacking and the persistent gaps in transparency, protection, and accountability in the management of data breaches.
For instance, the SRA, which, according to WFP Annual Country Reports for Palestine, was key “to identify groups at risk more effectively, prioritizing aid for those facing the most severe hardships,” including “female-headed households and the most vulnerable,” requires an ID number for registration, and applicants must submit and regularly update detailed personal information about themselves and households. This includes their names, date of birth, phone number, marital status, the names and ID numbers of family members, as well as their health status (e.g., pregnancies or disabilities), current place of residence or displacement, and the number of displacements since October 7, 2023, the date of most recent relocation, among other information. So far, more than 2 million people in Gaza have registered via the app, according to WFP’s own accounting.
When data can lead to death
Collecting a massive amount of personal data of almost the entire population of Gaza in a context well known for systematic population surveillance and data-driven lethal targeting creates serious and material risks for an already severely vulnerable population. Over the past two and half years, Israel has been leading a brutal genocidal campaign against the population of Gaza, with damning records of deliberate targeting of the civilian population, including aid seekers as well as humanitarian, medical, and essential services’ personnel and facilities. Central to this genocidal campaign is the Israeli military’s use of AI systems and cloud computing technologies, powered by mass surveillance data collected on the entire population of Gaza. The data exposed in this breach is exactly the kind of information that fuels the targeting of civilians.
Humanitarians, more than any other actor, should be fully cognizant of this reality, as they have also been hit by the surveillance-fueled indiscriminate violence that has been unleashed on Gaza. This calls into question the necessity and proportionality of deploying a system that effectively catalogs almost every Palestinian household in Gaza and tracks their movements in such a highly risky context: What kind of cybersecurity and data protection assessments were run on this system before deployment in a high-risk context of ongoing violence and military occupation with extreme digital risk factors? Are these assessments adjusted to the cyber-heavy dimension of the ongoing conflict in Gaza? Are the results of these assessments public? If not, why? On what legal basis is this sensitive data collected and retained?
We are also gravely concerned by the lack of transparency surrounding the incident. To date, WFP has provided little information about the extent of the attack or the steps it is taking in response. Reporting by The New Humanitarian (TNH) raises serious questions about WFP’s handling of the breach. According to TNH, an “independent expert” allegedly warned WFP of vulnerabilities found two days before the breach. Although the issue was reportedly escalated to WFP headquarters and staff were told it had been resolved, according to TNH, the breach occurred the same day of the internal escalation and remained undetected for another one to two days. Equally troubling is WFP’s silence about the actual number of people whose data were breached. As noted above, the 600,000 households initially reported likely represent millions of individuals, given that names and ID numbers must be submitted for every household member.
We are further appalled by WFP’s apparent dismissal of the risks posed by the breach, as reflected in its statement that it is unaware of any “misuse or exploitation” of the data. We call into question the validity of this assessment, especially as reported earlier by TNH that, as of May 31, 2026, WFP had allegedly neither conducted a risk assessment nor taken meaningful steps to evaluate or mitigate risks to people in Gaza.
No real choice: consent or go hungry
As is now broadly recognized, consent alone is not a sufficient legal basis for collecting highly sensitive data in conflict settings, as most people are faced with the impossible choice between hunger and surrendering their personal information. This breach and the profound risks it entails demands a fundamental reckoning with the accelerating digitization of humanitarian aid. Collecting data on individuals or communities caught in conflict carries inherent risks not only for them, but also for every actor involved in collecting, processing, managing, and storing that data. The decision to engage with the personal or demographic data belonging to already vulnerable populations is therefore a step that demands an exceptional level of scrutiny and justification, one that goes far beyond the narrow cost-benefit calculus linked to a transactional vision of humanitarian aid.
Only an absolute operational necessity to collect sensitive data through digital platforms in order to perform life-saving work could possibly justify exposing already vulnerable communities to the additional risks that come with digital data exposure. The WFP has undoubtedly played a significant role in delivering food and cash assistance amid one of the most challenging and catastrophic humanitarian crises in recent memory. Yet for a besieged and starving population, there is no meaningful choice but to register with the SRA, particularly when the WFP repeatedly urges people to sign up and update their information each time they are displaced or their household composition changes. In this context, was there ever an adequate assessment of the real added value of an online-first system weighed against the risks it carries? Was it truly necessary to run this risk? And do the metrics generated by the SRA, along with feedback from its users, justify that decision?
This grave data breach and its risks cannot be taken lightly. Merely notifying affected users of the breach is not a sufficient response. Despite established guidance on data risk management and the development of digital-inclusive standards, the humanitarian sector is still failing to integrate digital-related risks and harm mitigation in their protection strategies. We takethis opportunity to remind WFP and the humanitarian sector at large of their responsibilities towards the very vulnerable people they’re assigned to protect. Palestine tops the list of the crises driving civilian risk, an assessment confirmed by the IRC Emergency Watchlist, the Global Protection Cluster Severity Tracker, and the latest UN Secretary General Report on the Protection of Civilians in Armed conflict drafted by UN OCHA. The protection of the data linked to this crisis goes beyond standard concerns linked to privacy and data protection, straight into the physical integrity of the affected people and it sits therefore at the very heart of the do no harm principle.
We, therefore, urgently call on:
The World Food Programme and other humanitarian organizations:
- Transparently disclose a full and independent investigation, including the precise number of impacted individuals, and the measures taken to inform them; receive their inputs on the needed protection, mitigation, and redress mechanisms, and take immediate and active steps towards implementing them;
- Immediately impose a moratorium on the reactivation and redeployment of the SRA for Palestine until a comprehensive, context-specific risk assessment has been conducted and harms can be demonstrably and adequately prevented and mitigated;
- Refrain from the collection and processing of personal data, or the deployment of data-driven digital tools in humanitarian contexts, until at minimum the following conditions are met:
- An evidence-based justification is articulated for the collection of such data and its intended use based on the best interest of beneficiaries, not on donor compliance; meaningful engagement with affected communities is undertaken prior to any collection or processing, including genuine listening and responsiveness to both real and perceived risks;
- An assessment of the power dynamics and a thorough analysis of the legal basis under which data is collected and processed is conducted, recognizing that informed consent can only be given where there is genuine choice; independent security audits of all digital tools and platforms are also carried out; strict sunsetting of programs and data retention limits are set;
- Independent data protection and protection-specific impact assessments contextualized to the specific use case are conducted, in which risks are thoroughly documented and data collection proceeds only where those risks can be adequately mitigated; and
- Furthermore, humanitarian organizations must ensure that these measures or conditions must not halt or delay the provision of essential aid and services provided to people and communities.
- Implement and rigorously enforce robust data protection policies, including data minimization by design, across operations, tools, and platforms, that are context-specific and adequate to the threat model faced by the local communities; and
- Integrate and operationalize a protection approach reflective of the digital risks involved in armed conflicts as outlined in chapter 8 of the Professional Standards For Protection Work (PSPW) for human rights and humanitarian actors.
Donors and governments:
- Immediately request their humanitarian grantees involved in the Gaza crisis response to conduct an external, independent cyber audit possibly followed by the same exercise across all conflicts presenting the most serious concerns with regards to the protection of civilians;
- Immediately request their humanitarian grantees to adopt policies aimed at improving the transparency and accountability of their tech management, with special attention to open policies for responsible disclosure of:
- Data governance for programmes and affected populations;
- Tech partnerships and related contractual/compliance documentation;
- Digital architecture for programmes, covering the full data lifecycle of affected individuals; and
- Strategies and policies for data protection and protection from digital-related harms.
- Prioritize providing sufficient resources and funding needed for their humanitarian grantees to conduct external and internal security audits, risk assessments, and implement digital related harm-mitigation and protection strategies;
- Call on relevant regulatory and legal authorities to launch immediate independent investigations into the cyberattack, ensuring transparency and accountability for the affected individuals;
- Provide incentives and support to the integration of humanitarian personnel into existing Computer Emergency Response Team (CERTs) and in all other similar spaces, in coordination with the digital rights community; and
- Reaffirm in the strongest terms the protected nature of civilian data and the digital infrastructure underpinning it, especially when entrusted to humanitarian or medical organizations.
Tech companies:
- Cybersecurity experts and companies to openly and proactively support investigations on the cyberattack; and
- Accompany the integration of humanitarian personnel into existing CERTs and in all other similar spaces.
Signatories
- Access Now
- 7amleh – The Arab Center for the Advancement of Social Media-
- African Digital Rights Network
- Beam Reports – Sudan
- Digital Sovereignty Observatory
- Global Voices
- HuMENA for Human Rights and Civic Engagement
- Keren Weitzberg, Senior Lecturer, Queen Mary University of London
- Margie Cheesman, Lecturer, King’s College London
- Meedan
- Silvia Masiero, Professor, University of Oslo
- Skyline International for Human Rights (SIHR)
- SMEX
- Speak Up
- Tobias Denskus, Associate Professor, Malmö University, Sweden
- World Humanitarian Action Forum (WHAF)