ICRC Data Breach - information for people who use our RFL service

On 18 January 2022, a breach as the result of a cyber attack was discovered at one of the International Committee of Red Cross (ICRC) data centre service providers. 

Read our media release

Read more on the ICRC website about the cyber-attack


Is your data affected and what does this mean?

If you have engaged with the New Zealand Red Cross Restoring Family Links service, your contact details may have been on the case management system we use to find missing family due to armed conflict, disaster or migration.  This case management system is hosted by the International Committee of Red Cross (ICRC) on servers in Switzerland.

The breach means someone outside Red Cross has accessed the RFL system and may have accessed your information. To the best of our knowledge no information has been altered. The ICRC does not know why this attack occurred, however there is no evidence yet of operational and personal data being manipulated or taken.  Without knowing the motives, it is difficult to estimate the potential harm this breach may have caused.  It is possible leaked confidential data may be shared publicly, which might put affected people at risk. Currently, there is no indication compromised information has been leaked or shared publicly.


What are we doing about the situation?

The ICRC suspended all access to the compromised systems to reduce the immediate impact of this breach. While we do not yet know the scope and the impact of this attack, we are working to investigate the breach and assess its risks and impact. The technical teams of New Zealand Red Cross and ICRC are working together on further strengthening the systems to prevent future breaches to the greatest extent possible.

On Friday 21 January New Zealand Red Cross notified the Office of the Privacy Commissioner of this data breach. 

We will be notifying those who have potentially been affected following guidance from the Office of the Privacy Commissioner.


The work of the Restoring Family Links service will continue

People entrust us with personal information and details about often traumatic events in their lives. This is not a responsibility we take lightly. We want you to know we are doing everything we can to restore the services that we are so proud to offer across the world. We will work to earn your trust so we can continue to serve you.


Data protection

We want to reassure you that New Zealand Red Cross takes data security and privacy very seriously, especially the safety of the people we assist, and the protection of their information. We have invested substantially in cyber security and work with trusted partners to maintain high standards of data protection and systems, including the monitoring of suspicious activity. Both the ICRC and New Zealand Red Cross are doing everything in our power to fix this and prevent this from happening again.


What you need to do

Contact us with any concerns

You will hear from us if you have been affected. In the meantime if you have concerns that your personal information may have been compromised, please contact the

-     RFL Coordinator via email at familylinks@redcross.org.nz; OR

-     New Zealand Red Cross Privacy Officer via email at privacy@redcross.org.nz  


Be alert for any phishing attacks

Phishing is a fake message designed to trick people into revealing sensitive information or to deploy malicious software (like ransomware) onto the victim's computer or phone.  

-     For more information on phishing see the advice from the government’s Computer Emergency Response Team which is known as CERT NZ.

If you receive a suspicious email or text message claiming to be from Red Cross or asking for your personal information, immediately delete the message and do not forward or share it.