WFP Data Breach in Gaza Exposes Aid Recipients to New Perils Amid Ongoing Crisis

Humanitarian operations in conflict zones carry risks that extend far beyond delivery of food and cash. Last month the World Food Programme learned this lesson once again. Unauthorized parties gained access to personal details belonging to roughly 600,000 households in Gaza through the agency’s self-registration application.

The breach happened on May 14. WFP detected it shortly afterward, shut down the platform, contained the intrusion and began strengthening controls. Yet public notification came later. The organization posted messages to affected Palestinians via Telegram on May 31 and followed up on June 2. The New Humanitarian first broke the scale of the incident.

Names. ID numbers. Phone numbers. Location data. Those four categories left the system. No evidence has surfaced that the information appeared on public forums or was sold. Still the exposure carries weight. Gaza remains a place where personal details can be weaponized. Tracking. Targeting. Extortion. The list of secondary threats feels immediate.

WFP moved to reassure recipients. “You do not need to update, delete, or re-register your information,” one statement read. “If you are already registered, you will remain part of the WFP assistance programs. Food, cash, and other assistance will continue as normal.” The self-registration tool stayed offline while engineers applied fixes. Aid flows continued through established channels. No one had to act.

But questions linger about timing. An anonymous whistleblower told The New Humanitarian that an independent expert had flagged vulnerabilities in the application two days before the breach. The Palestine team passed the alert to headquarters in Rome. Cybersecurity staff there reportedly confirmed the issue was fixed. The breach occurred anyway. Notification to beneficiaries took more than two weeks.

WFP has declined to detail the exact attack method or confirm whether the warning was heeded properly. Its spokespeople stress that the incident was limited to the self-registration system, known internally as the SRA or People Portal. Other databases, including the SCOPE beneficiary management platform slated for fuller rollout in Palestine this year, stayed untouched. Investigations continue. No attacker has claimed credit.

The numbers tell a sobering story. More than two million people in Gaza submitted information through the portal. The 600,000 affected households likely represent a huge share of those still receiving support. WFP assists 1.6 million Palestinians each month. That figure equals about 77 percent of the territory’s population. Unemployment hovers near 80 percent. Famine risks persist even after ceasefires. Families rely on wheat flour, fortified snacks and cash transfers just to eat.

A Gazan humanitarian worker captured the unease. “It comes at a very scary, unpredictable time where this law, and this data, can be literally weaponised against people, used to track people down, cause harm. And it’s been breached.” The comment, shared with The New Humanitarian, points to fresh Israeli requirements for aid organizations to share worker data. A Supreme Court ruling on May 20 upheld the practice. Trust erodes when sensitive records slip away at such a moment.

Experts see a pattern. Humanitarian groups collect intimate details from populations already under duress. Yet their data protection often trails behind practices common in commercial sectors. Aaron Martin, assistant professor of media studies and data science at the University of Virginia, told the same outlet that the sector “has been pretty poor at protecting data” despite stated values. “It makes vulnerable people feel even more vulnerable.”

This incident is not isolated within the United Nations system. Bleeping Computer noted previous breaches at other UN agencies. A 2019 cyberattack hit Geneva headquarters. The UN Environment Programme lost personal data of 100,000 employees in 2020. Ransomware group 8Base claimed a 2024 hit on UNDP that stole 42,000 records. The International Civil Aviation Organization suffered its own exposure that same year. WFP itself faced criticism in audits dating back to 2017 and 2022. Those reviews flagged weak risk assessments around personal data collection and called for major improvements in safeguarding beneficiary information.

The agency has partnered with Palantir, the data analytics firm with roots in military contracting. That relationship has drawn scrutiny from digital rights groups. A 2021 internal audit recorded 63.8 million identities in WFP’s SCOPE system, with 20 million actively managed. Plans call for expanded use of the platform in Gaza. Whether the current breach accelerates or complicates those efforts remains unclear. WFP says the SRA compromise did not touch SCOPE.

So what happens next? The platform will return with upgraded defenses. WFP advises people to ignore messages pretending to come from the organization, to avoid sharing details with strangers and to steer clear of suspicious links. Standard breach advice. In Gaza it feels heavier. Scammers could pose as aid workers demanding fees. Militant factions might exploit location data. Hostile actors could build profiles for future pressure.

And the larger picture? Humanitarian data security demands more than reactive patches. Past audits showed limited technical capacity inside WFP’s Palestine operation. The 2022 review specifically noted that risks tied to personal data collection had not been properly assessed or mitigated. Those gaps matter when the information belongs to families already navigating war, displacement and hunger.

Recent coverage echoes the concern. The Record reported that WFP took immediate action to contain the intrusion and strengthen controls. It highlighted the Telegram messages that first alerted recipients. SC Media and UpGuard both framed the event as a significant exposure for an organization that disbursed $2.82 billion in 2024 and maintains over 20,000 staff worldwide.

Discussions on X reflect similar alarm. Cybersecurity analysts point out that the breach turns vulnerable aid recipients into targets for follow-on attacks. One post called cybersecurity in such settings not merely IT hygiene but life safety. Another noted the potential for nearly all of Gaza’s remaining population to be affected when household sizes are considered.

WFP insists support will not falter. Registration records remain valid. Deliveries continue. The agency says it treats data protection as a top priority and is investigating with urgency. Those statements aim to calm fears. Yet the whistleblower’s account raises doubts about whether earlier warnings received the attention they deserved.

Humanitarian work has always involved hard trade-offs. Collecting names and locations helps target scarce resources. It also creates records that outlive the immediate crisis. In a territory where power shifts quickly and information can determine survival, the margin for error shrinks. This breach may prompt fresh examination of how agencies balance speed of aid against durability of safeguards.

The investigation continues. Technical details may emerge later. For now the 600,000 households wait. Their assistance flows. The data they entrusted sits somewhere in unknown hands. And the systems meant to protect them undergo repairs after the fact.