Featured image
Truesec pattern
Case
Cyber attack on ICRC

Swedish Red Cross on Staying Compliant Through Sensitive Data Breach

In the era of cybercrime, nothing is what it used to be. Today, even humanitarian organizations have become targets. When a cyber attack on the International Committee of the Red Cross also risked exposing sensitive data from the Swedish Red Cross, they suddenly found themselves in a GDPR crisis nobody could have foreseen. Here is their story.

In this case, we were thankful we already had our partnership with Truesec in place. Truesec showed a huge willingness to help us with anything we needed.

Martin Tägtström

CIO at Swedish Red Cross

In this case, we were thankful we already had our partnership with Truesec in place. Truesec showed a huge willingness to help us with anything we needed.

In this case, we were indeed dealing with immensely sensitive personal information. It was very much a balancing act between empathy and morality, law and order.

Levi Bergstedt

Chief Legal Officer at Truesec

In this case, we were indeed dealing with immensely sensitive personal information. It was very much a balancing act between empathy and morality, law and order.

I think this incident is a good example of how we need to abandon the illusion that it’s possible to completely protect ourselves from cyber attacks.

Martin Tägtström

CIO at Swedish Red Cross

I think this incident is a good example of how we need to abandon the illusion that it’s possible to completely protect ourselves from cyber attacks.
Share

In the era of cybercrime, threats can appear most unexpectedly. As one of Sweden’s most routine humanitarian aid organizations, the Swedish Red Cross found itself needing a helping hand when a cyber attack on the International Committee of the Red Cross also put sensitive Swedish data at risk. When it comes to managing GDPR, both timing and treading carefully are crucial – Truesec fully supported the Swedish Red Cross with its legal responsibilities following the breach.

Hackers in hoodies?

Forget those images. In the era of cybercrime, a new threat landscape has evolved. Different, darker. In parallel with the growing number of threat actors, the cybercrime industry has also matured and transformed accordingly.

Today’s cybercriminals are professionally organized. As business is booming, the threat actors’ playgrounds have expanded into previously untouched and ethically unthinkable grounds. In the era of cybercrime, nothing is what it used to be. As Truesec’s friends at the Swedish Red Cross would have to experience – anyone can become a target.

Targeted Cyber Attack Risks Exposing Personal Data of the World’s Most Vulnerable

Following the public announcement of the partnership between Truesec and the Swedish Red Cross, employees and external stakeholders might have wondered what was going on when mention of the Red Cross being victims of a breach started circulating in the media. Had Truesec failed in its mission to protect the Swedish Red Cross? But it wasn’t what it looked like. Rather the opposite, as you’ll soon see.

In January 2022, the International Committee of the Red Cross (ICRC) published a press release. The message: ICRC's servers containing personal data belonging to more than 515,000 people worldwide had been hacked. The breach included data such as names, locations, and contact information. Even worse, those affected included missing people and their families, detainees, and others receiving services from the Red Cross due to armed conflicts, natural disasters, or migration.

Martin Tägtström, CIO at the Swedish Red Cross, quickly informed Truesec.


There were several crucial questions. Might there be a risk for the Swedish Red Cross’ operations and IT systems as well? What about the systems monitored and secured by Truesec? Were there any signs of anything unusual? Martin asked Truesec to investigate further.

Incident Response Activated – Compliant Throughout the Crisis

Truesec immediately activated its Threat Intelligence Team. The goal was to find further information about the background of the attack – the attack as well as the threat actor. Fortunately, within a few days, it was clear that nothing was wrong with the IT systems secured, monitored, and managed by the Swedish Red Cross or Truesec. The breach was limited to the ICRC’s systems managed by another security partner.

"By then, it was all about trying to find out exactly what had happened. Although it was kind of a relief when we found out none of our own systems, or systems hosted by Truesec, were affected – it was still a short relief," says Martin.

He explains: "The affected system was developed and hosted by the ICRC to all Red Cross National Societies. These servers held the personal data that people provided to the Red Cross. More specifically, to help them find and reconnect with their families and learn what happened to relatives who are missing due to armed conflicts, natural disasters, or migration. Thus, the initial relief quickly turned into: Ok, what should we do now?”

While there was no immediate threat to the Swedish Red Cross, Truesec heightened its incident response readiness for Swedish Red Cross. Truesec’s Data Leak Detection Program was also activated to find further clues, data, or other traces from the breach.

Meanwhile, Martin and his colleagues had another challenge to deal with – GDPR. Following the introduction of GDPR in 2018, the requirements in case of a personal data breach risking affected individuals' freedoms or rights are very clear. Within 72 hours, incidents must be reported.

When it comes to GDPR, there’s no room for mistakes or second guessing. Fail to report, and you risk an integrity incident. Report the wrong things or too much, and you’ll risk other legal consequences. You need to act quickly and compliantly,” says Levi Bergstedt, Chief Legal Officer at Truesec.
Levi Bergstedt, Chief Legal Officer at Truesec
Levi Bergstedt, Chief Legal Officer at Truesec

About a week into the incident, Levi was called in. By then, Martin and this team had made a preliminary report to IMY, the Swedish Authority for Privacy Protection. They now wanted Levi’s expert assessment of the application to check whether it had been handled in accordance with applicable laws.

Balancing Cyber Law and the Human Perspective

"It was a very sensitive situation,” Levi recalls. ”GDPR demands informing the concerned parties of a breach. However, in this case, we were not just dealing with any data breach; we were indeed dealing with immensely sensitive personal information, such as in the case of political refugees, for example. Even a name or someone’s latest known location can be extremely sensitive. Thus, it was very much a balancing act between empathy and morality, law and order”.

Following the reporting to IMY, Levi advised the Swedish Red Cross on how to further analyze the situation from a legal perspective.

Together, they also went through all the contracts between the Swedish Red Cross and the International Red Cross to determine the contractual responsibilities. Following the incident, no technical impact or traces of intruders have been seen in any of the Swedish Red Cross’ IT systems.

"I think this incident is a good example of how we need to abandon the illusion that it’s possible to completely protect ourselves from cyber attacks,” says Martin.

He exemplifies what a more rational approach ought to look like:

"Rather, you need to know what to do when an attack strikes. No one can, of course, be prepared for everything; you still need to deal with a crisis once it occurs — but by then, you need to know you have the right resources and competence by your side. In this case, we were thankful we already had our partnership with Truesec in place. Truesec showed a huge willingness to help us with anything we needed”.

The Breach in Brief

  • On January 18, 2022, the ICRC confirmed there had been a breach of its systems. Hackers had been inside the systems and had access to the data they contained.
  • The ICRC determined the attack was targeted as the hackers had created a piece of code designed purely for execution on the targeted ICRC servers.
  • None of the systems hosted by the Swedish Red Cross or Truesec were affected by the breach.
  • Swedish Red Cross had used the affected system hosted by the ICRC to manage the sensitive data of individuals. Thus, it could not be excluded that data from the Swedish Red Cross might also have been leaked; hence Truesec’s Legal Incident Response services were activated for the Swedish Red Cross.

Support Solutions Activated for Swedish Red Cross

About the Swedish Red Cross

  • Founded in 1865, today, the Swedish Red Cross is the largest humanitarian volunteer organization in Sweden.
  • The Swedish Red Cross has about 25,000 volunteers in 722 local branches, scattered around the country.
  • Organizationally, the Swedish Red Cross is part of the International Red Cross and Red Crescent Movement, which is the largest humanitarian network in the world.
  • The global Red Cross Movement is composed of the International Committee of the Red Cross, ICRC, the International Federation of Red Cross and Red Crescent Societies, and the 190 individual national societies. Each has its own legal identity and role, but they are all united by seven fundamental principles.

Managing a Data Breach

Insights, Reflections, and Lessons Learned by the Swedish Red Cross
  • Insights

Transparency and openness have really been key for us. It was already in the DNA of our organization, but it was especially helpful during this crisis as we never needed to discuss whether to go public with the incident or not.

  • A Reflection We’ve Made

We think it’s important to stress that we’re the victim of a crime here. Working in natural disasters and across conflict frontlines comes with real risks. Just as human lives must be respected and protected, it is also important that humanitarian data be equally respected.

  • Lessons Learned; Patterns Changed

Knowing the ICRC attack succeeded due to an unpatched vulnerability, we’ve also made changes to our own routines. At IT, we’ve previously been very service-minded towards our colleagues so that patching does not interfere too much with operations. We’ve changed that now. We’ve decided to patch everything and all vulnerabilities within 72 hours.

Talk to Us!

Interested in knowing how we can help you protect, detect, and respond to cyber breaches? We’re here to help and look forward to getting in contact with you.