21 January 2022 | Media Release

On 20 January 2022 (NZT 6:08am) New Zealand Red Cross were advised by the International Committee of the Red Cross (ICRC) that on the morning of 18 January 2022, they learned the ICRC Central Tracing Agency systems had been exposed to a highly sophisticated Cyber Security incident and Personal Data Breach.

ICRC immediately suspended all access to the Central Tracing Agency systems to stop the attack and protect the information. ICRC has engaged an external specialist firm offering technical guidance. ICRC immediately implemented mandated regular password changes for user logins.

ICRC is unsure of the motivations of the attackers. There is evidence that UserID information and passwords were extracted, however there is no evidence yet of operational and personal data being accessed, extracted or manipulated.  Without knowing the motives, it is difficult to estimate the potential and likelihood the harm that this breach has caused.

The categories of persons affected by the breach consist of National Society staff end-users and, most likely, missing persons, separated persons, families of separated and missing persons, accompanying persons, persons in detention, interlocutors and any other persons may have  collected and stored personal information in these applications. This is particularly disturbing for families in sensitive situations.

Sarah Stuart-Black, Secretary General New Zealand Red Cross said, “That following being notified of this privacy breach by ICRC, New Zealand Red Cross has taken action to ensure all NZRC users who have access to the compromised system(s) have changed their passwords.”

Ms Stuart-Black confirmed “Whilst NZRC’s data is housed geographically separate from that of the compromised systems, we are employing effective security to monitor and alert for any suspicious events. Over the previous 18 months NZRC has implemented a range of enhancements to our ICT systems due to the increasing threat of Cyber Security attacks.  The data related to the Restoring Family Links service is hosted separately by ICRC – this data may have been exposed in this event.  We are monitoring the situation closely.

NZRC continues to monitor the situation closely and is working with ICRC to put in place measures to protect our systems and data. ICRC have advised that access to the Central Tracing Agency systems will not resume until there is assurance that the data is secure.

NZRC will be ready to respond quickly to inform those that could be impacted as soon as we have access to that information.

To the best of NZRC knowledge at this time, our information has not been tampered with and is intact.

NZRC has notified the Office of the Privacy Commissioner.

-ENDS-

Further information:

1.    Three NZRC staff members with UserID login to the Central Tracing Agency systems are affected and have been notified.

2.    The three NZRC users who have access to the compromised system(s) have changed their passwords.  NZRC already has two-factor authentication.

3.    NZRC will notify its clients once it has been established there has been a cyber-attack and potential privacy breach of NZRC data.

4.    The Central Tracing Agency systems are used in supporting NZRC  Restoring Family Links programme data.

For more information contact:

media.comms@redcross.org.nz Ph 04 495 0139

About New Zealand Red Cross

The New Zealand Red Cross mission is to improve the lives of vulnerable people by mobilising the power of humanity and enhancing community resilience.

 The Red Cross Fundamental Principles guide everything that we do, whether we're helping people in communities across Aotearoa New Zealand or providing urgent relief in response to an international disaster. These seven principles unite the worldwide Red Cross Red Crescent Movement to help without discrimination those who suffer and by doing so contribute to peace in the world.