UN food agency discloses breach affecting 600,000 Gaza households

Source: Bleeping Computer

Image: Kaga Tau (CC BY‑SA 4.0)

Incident overview

The United Nations World Food Programme (WFP), the world’s largest humanitarian organization, disclosed that its self‑registration application (SRA) for Palestine was breached.

Breach details

• Date of breach: 14 May 2026
• Scope: Personal data of beneficiaries in roughly 600,000 Palestinian households in Gaza.
• Compromised information: Names, ID numbers, phone numbers, and location data (neighbourhood information recorded during registration).

The WFP announced the incident in a Sunday Telegram message.

WFP response

• The registration platform has been temporarily suspended while security improvements are implemented.
• Beneficiaries were advised: “You do not need to update, delete, or re‑register your information. If you are already registered, you will remain part of the WFP assistance programs. Food, cash, and other assistance will continue as normal.”
• The organization warned Palestinian beneficiaries to be wary of anyone claiming to represent the WFP and requesting information or money, and to avoid clicking suspicious links or messages.
• A follow‑up update on Tuesday confirmed the platform remained down as security measures were strengthened.

A WFP spokesperson was not available for comment when contacted by BleepingComputer.

Impact on beneficiaries

• Assistance (food, cash, etc.) continues for those already registered.
• No requirement for beneficiaries to re‑register or update their data.

About the World Food Programme

• Founded: 1961; Headquarters: Rome, Italy.
• Staff: Over 20,000 in more than 120 countries and territories.
• Logistics: Operates the largest humanitarian logistics network, with ~5,000 trucks, 20 ships, and ~80 aircraft delivering aid.
• 2024 figures: US $2.82 billion in financial assistance disbursed; ~2.5 million metric tons of food delivered worldwide.

Previous UN data breaches

• 2019: The United Nations failed to disclose a cyber‑attack affecting its Geneva offices (investigation).
• 2015: UN Environment Programme (UNEP) exposed PII of over 100,000 employees (source).
• 2024:
  • UN Development Programme (UNDP) hit by an 8Base ransomware attack (details).
  • UN International Civil Aviation Organization (ICAO) suffered a breach of a recruitment database, compromising ~42,000 records (source).

References

• WFP Telegram announcement: https://t.me/wfp_gaza/20
• The New Humanitarian report on the breach: https://www.thenewhumanitarian.org/news/2026/06/02/data-600000-gaza-households-exposed-wfp-cyber-attack
• Historical UN breach investigations:
  • https://www.thenewhumanitarian.org/investigation/2020/01/29/united-nations-cyber-attack
  • https://www.bleepingcomputer.com/news/security/united-nations-data-breach-exposed-over-100k-unep-staff-records/
  • https://www.bleepingcomputer.com/news/security/united-nations-agency-investigates-ransomware-attack-claimed-by-8Base-gang/
  • https://www.bleepingcomputer.com/news/security/un-aviation-agency-confirms-recruitment-database-security-breach/