We, the undersigned civil society organizations and experts, condemn in the strongest possible terms the cyberattack on the World Food Programme (WFP) that took place on May 14, 2026,
exposing the personal data of 600,000 Palestinian households
in Gaza, including their names, ID numbers, and location. While the full extent of the data breach remains unknown, including
the actual number of impacted
individuals, such exposure amid what has been
repeatedly defined
as a
genocide
carries grave risks for an already extremely vulnerable population. We urgently call on the WFP to be fully transparent about the details of this incident and to immediately take all possible measures to ensure that no further harm comes to the people linked to these datasets.
The WFP
notified affected people
17 days later, on May 31, 2026, via Telegram, of the cyberattack against its
Self-Registration Application
(SRA) for Palestine, a digital portal through which displaced Palestinians can directly sign up for food and cash assistance for themselves and their families. On June 2, 2026, the agency stated in a
follow-up message
that it had temporarily disabled the app for the time needed to strengthen its cybersecurity and data protection measures. This delay not only falls short of best practices for breach notifications but also puts the safety of people at risk.
This incident, which has been described as
“what may be the largest-known breach of humanitarian beneficiary data to date”
, is yet another shocking reminder of the consequences of pervasive mass personal data collection by humanitarian actors in the name of faster aid delivery and cost efficiency. Following the
2022 hack of the ICRC server
containing the personal records of hundreds of thousands of missing persons and their families, we expected the sector to recognize the gravity of the threats posed to their digital systems and reform accordingly. Instead, we register with concern the normalization of humanita
