.png)
WFP cyber-attack: Is nearly all of Gaza’s population exposed?“The food programme is often seen to be the cowboys. They push the envelope.”
- Irwin Loy | The New Humanitarian
- Jun 3
- 5 min read
“The food programme is often seen to be the cowboys. They push the envelope.”
GENEVA
How many people is 600,000 households, exactly? The World Food Programme isn’t saying.
Inklings explores how aid works in the wilds of humanitarian hubs, on the front lines of emergency response, or in the dark corners of aid punditry.
Today: What WFP is leaving out of data breach reports, the humanitarian reset’s neglected crises, and Palantir.
On the radar |
How many people is 600,000 households? That’s one of many questions floating among the chattering class after the cyber-attack on the World Food Programme, which we reported with colleague Jacob Goldberg this week.
Quick recap: A 14 May cyber-attack on the WFP exposed sensitive data belonging to Gazans. The “beneficiaries” had signed up for aid on the WFP’s self-registration app, known as People Portal. A data breach of any kind is significant. A breach of this scale – potentially affecting the vast majority of a population – seems more so. And it’s especially fraught in Gaza, where Israel has used algorithmic weapons systems to target deadly strikes, and where some 3,000 people have been killed while trying to seek aid (including assistance from WFP).
The number: It has been oddly difficult getting a basic number of how many people have been hit by the data breach. WFP told us “600,000 households” are affected – all in Gaza. But it has declined requests to say the total number of affected people.
Why: The cynical take is obvious: 600,000 is simply the lower number. It also happens to obscure the scale of the data breach. The previous largest-known hack on humanitarian data – 2022’s attack on the International Committee of the Red Cross – affected 515,000 people. Kind of comparable… right? So is WFP holding back strategically, or is its own data not crunched to the individual level? We’re waiting on a response to more follow-up questions. But WFP has had no problem counting when it wants to promote People Portal: More than 2 million people used it to register in Gaza.
How many people is a household? As the eagle-eyed (or those with basic understanding of Gaza demographics) point out, 600,000 households doesn’t seem to add up. Some 2.23 million people lived in the Gaza Strip in 2023, according to census estimates. At least 75,000 people “died violently” during Israel’s assault on Gaza, researchers estimate. Humanitarian groups today use a figure of about 2.1 million; the majority are displaced amid Israel’s declared ethnic cleansing of the strip. But the average household size in Gaza is 5.5 people, according to the census estimates. Applying this to WFP’s 600,000 number suggests a population of 3.3 million people, which is obviously not plausible.
Humanitarian math(s): Different groups have different lists and different numbers. Members of the Site Management Cluster in Gaza use an incomplete figure of 355,000 households hosting 1.7 million people – about 4.8 people per household. Notably, this data is verified through in-person visits and phone interviews. Stats from aid groups working on food security suggest a third figure: 440,000 people in 122,000 households, or 3.6 people per household. This lower ratio comes closest to aligning with WFP’s numbers (WFP, of course, co-leads the global food security cluster).
What does it mean: Any way you count it, the numbers suggest a stark toll: Nearly every person still in Gaza has had their personal data exposed.
Questions: Part of data security is data minimisation. How many times are people in Gaza asked to hand over their personal info? Can they reasonably be asked to consent in this environment?
Also: Why does household size vary between clusters (📥)?
What do other agencies and donors think: There are plenty of other questions on past actions, current gaps, and future risks. One common query: Why did it take more than two weeks to notify people? Some who partner with WFP are wondering the same thing.
“I regret to inform you”: For some, notice came in the form of a sparse 31 May email: ”I regret to inform you that WFP was recently targeted by a cyber-attack on its self-registration application (SRA) for Palestine,” stated the email, which included key messages to be given to “WFP beneficiaries”. Some complain that WFP has shared only limited info with its partners. “Why didn’t you tell us earlier, and why aren’t you telling us more now,” said one aid worker, describing some of the questions posed to WFP in recent days. We’re told some donors also received notification over the weekend.
How seriously are people taking this: Data protection experts say it has taken years for the humanitarian sector to treat the issue with urgency. In 2021, the sharing of Rohingya refugees’ biometric data with the government that persecutes them was a watershed moment – flipping theoretical risks into real-world harms. The 2022 ICRC hack was another wake-up call. The WFP cyber-attack may be the largest known humanitarian data breach in history. Data protection experts see it as urgent. Do humanitarian groups and their donors (📥)?
What WFP would like you to know: The agency may not be eager to offer a headcount for the data breach, or explain why there are 600,000 households in Gaza. But there are a few talking points they’d like to share. A WFP spokesperson tells us:
The exposed location data “was only at the neighbourhood level” and “cannot be easily used” to pinpoint individuals.
They don’t know of any “misuse or exploitation” of the data.
No staff personal data was exposed.
And presumably referring to the self-registration platform, there is “no connection between this system and Palantir”.
Palantir and “cowboys” |
This seems like a convenient time to segue to Palantir, the military contractor and WFP data partner named in the “economy of genocide” UN rights report.
WFP’s actions will be under the microscope, but, like all agencies, it is asked to operate under extraordinary pressure with shrinking donor budgets. Cyber-attacks are part of a surging wave of tech threats facing humanitarians: If the world’s most well-funded agency is exposed, then everyone else is as well.
But WFP’s ambitious data strategy also drags a spotlight onto its policies and partnerships. The agency has actively expanded and marketed its various data systems, and aims to transform into a “data-driven entity”. The agency boasts about pioneering new tech: “WFP is among the first UN agencies to use photo-based technology and artificial intelligence to analyse large volumes of images in seconds,” it said in a press release five days after the Gaza data breach. Its new deduplication tech will use artificial intelligence to analyse names, photos, and possibly biometric fingerprints.
“The food programme is often seen to be the cowboys. They push the envelope,” Aaron Martin, a cybersecurity and digital ID specialist at the University of Virginia, told us in an interview. “They take risks in particular with the use of technology, but also in their partnerships with certain companies like Palantir, which is certainly unsettling for other organisations in the humanitarian sector, because they appreciate that those activities come with reputational risks.”
Recent external evaluations have noted this as well. “WFP’s rapidly expanding use of digital technology and processing of data are at risk of failing the people it serves,” a 2022 evaluation noted.
“WFP has demonstrated a robust strategic commitment to its digital transformation, focusing on operational efficiency. This needs to be matched by an equal focus on protection and clear internal and external positioning on the responsible use of digital technology and data.”
(c) 2026, The New Humanitarian
Comments