ICRC cyber security incident

The ICRC has determined that servers hosting the personal information of more than 500,000 people receiving services from the Red Cross and Red Crescent Movement were compromised in a sophisticated cyber security attack. Australian Red Cross uses this database for our RFL and detention monitoring programs. We do not yet know whether information entered by Australian Red Cross into the database is specifically impacted. Red Cross and Red Crescent teams globally use the database, however the information stored in the database comes from any case we have worked on, from any country.

Information that you have provided to Australian Red Cross may have been put into the database. This is a standard internal process to ensure that information is kept in one place, and we can communicate with our partners in other countries when trying to find a missing loved one.

This information may include your name, your contact details, information about the circumstance of your missing loved one, and the names and contact details of any relatives you have told us about, or information about the circumstances of your detention and the concerns you raised with us. It includes all documents provided to us in the course of managing your case, which may include identity documents, intake forms, Attestation of Detention certificates from ICRC, Red Cross Messages exchanged between family members, and photos.

We confirm that there is currently no indication that your personal information has been deleted or tampered with. Further, we have not identified any evidence of any misuse or public disclosure of this data. This remains under close review, and we will let you know if this position changes.

As soon as the ICRC became aware of the incident, it took the compromised servers offline. This means that we are not currently able to access any case information or work on any cases.

The ICRC is now in the process of identifying short-term solutions to enable Red Cross and Red Crescent teams worldwide to continue providing humanitarian services for the people impacted by this incident.

Separately, Australian Red Cross is undertaking an independent review of local systems and services to ensure that they remain secure.

Together, we are working to support potentially affected clients and to further strengthen systems to prevent a similar incident from reoccurring.

• Find a family member missing as a result of war, disaster or migration.
• Send a message to a relative where there is no other means of communication.
• Check the welfare of a relative overseas whom you are unable to reach.
• Request documentation about an individual.
• Monitoring conditions of immigration detention facilities.

• Help locate people missing.
• Share and store information about RFL cases, including messages exchanged with your relatives in another country.
• Record issues of humanitarian concern raised with us by people in immigration detention.
• Store communications with people in immigration detention.
• Record information about referrals we have made in relation to supports for you and your family (which were discussed with you).

Restoring Family Links (RFL) is a global service delivered in countries around the world. Red Cross and Red Crescent societies, including Australian Red Cross, use an online system to store information about RFL cases. We do this so information is securely stored in one place, and we can communicate with our Red Cross partners in other countries when trying to find a missing loved one.

We also use this system when supporting people in immigration detention.

ICRC servers hosting the RFL database and related systems were compromised. The hackers were inside the system and had the ability to copy and export information. We do not yet know whether information entered by Australian Red Cross into the RFL database is specifically impacted. Information that may have been impacted includes correspondence and records about your case, including contact details of your loved ones if this was relevant to your case. To our knowledge the information has not been published or traded at this time, and we are closely monitoring this.

Where a third party may have access to your contact information, it is important to:

• Change passwords – change your online passwords if you have not already done so. If you emailed yourself passwords for other accounts, change these as well. The Australian Cyber Security Centre provides guidance around good password practice.
• Take caution – if you are suspicious of the address, contact your service provider to ensure you are logging into the correct page. Do not provide your login details.
• Enable additional protections – set-up multi-factor authentication for your online accounts where possible and ensure you have up-to-date anti-virus software installed on any device you use to access online accounts.
• Check links – take note of what is called a ‘Uniform Resource Locator’ or ‘URL’ when on a webpage that is asking for your login credentials. This is located in the address bar of your web browser and typically starts with ‘https://’
• Mobile phone porting – stay alert for mobile phone carriers indicating that your phone is no longer connected to the network where this is unusual, or you have not instructed your mobile phone carrier to terminate the connection. Where this occurs, we recommend alerting your mobile phone carrier of the issue immediately.
• Review Scamwatch guidance – you may wish to review the Australian Competition and Consumer Commission's Scamwatch guidance on protecting yourself from scams.

For further guidance about protecting your identity, you may wish to visit the Australian Cyber Security Centre’s guidance page.

We are still going through the careful process of understanding the full scope of the incident and the way that our clients are affected. We are committed to providing you with a further update as relevant information comes to light, including providing updated advice on precautionary steps you can take.

If you suffer distress, we recommend that you seek health advice from a registered health professional you know and trust.

Additional support is available for you and your loved ones, to help you address any questions or concerns about this notice and the incident. These include:

Australian Red Cross
You can call our hotline using the phone numbers listed above.

Please also check this webpage for updates over the coming days.

IDCARE
If you are concerned about the potential misuse of your personal information, we have arranged free support from IDCARE, Australia’s national identity and cybersecurity community support service.

Please engage an IDCARE Case Manager via IDCARE’s Get Help Web Form if you have broader identity security concerns.

Alternatively, you may visit IDCARE’s Learning Centre for further information and resources on protecting your personal information. IDCARE’s services may be accessed by providing referral code RCA-ID22 when completing its Get Help Web Form or calling 1800 595 160.

Your health care practitioner
If you suffer distress, we recommend that you seek advice from a registered health professional you know and trust. When you see your general health practitioner, they’ll assess what help you need.

Please refer to our email for more information on how these organisations can support you and your loved ones.