World Food Programme breach exposes data of 600,000 Gaza households (2026)

The UN World Food Programme disclosed that attackers gained unauthorized access to its self-registration application for Palestine, exposing names, ID and phone numbers, and location data for roughly 600,000 households in Gaza in what may be the largest known breach of humanitarian beneficiary data.

On 2 June 2026, the United Nations World Food Programme (WFP) — the world's largest humanitarian organisation — disclosed that attackers had gained unauthorized access to its self-registration application (SRA) for Palestine, the platform Gazans use to register for food and cash assistance after verification. The breach exposed personal data for roughly 600,000 households in Gaza, in what researchers described as possibly the largest known breach of humanitarian beneficiary data to date.

What happened

WFP said the intrusion occurred on 14 May 2026 and that it later detected unauthorized access to the SRA. The exposed information included names, ID and mobile numbers, and location data — details that are especially dangerous in an active conflict zone where they could be used for surveillance, targeting, or fraud against an already vulnerable population.

On discovering the access, WFP took immediate action to shut down the platform, contain the intrusion, and strengthen its security controls. An investigation is under way, and at the time of disclosure no party had claimed responsibility.

Why it matters

Humanitarian beneficiary registries hold some of the most sensitive data imaginable: precise identities and locations of people who depend on aid to survive. A compromise of that data does not just risk identity theft — it can put lives at risk. The WFP incident underscores how aid platforms have become high-value targets and how the duty of care owed to beneficiaries now extends squarely into cybersecurity.

Sources

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/un-world-food-programme-breach-affects-600-000-gaza-households/

theregister.comhttps://www.theregister.com/security/2026/06/05/world-food-programme-breach-exposes-data-of-600k-vulnerable-gazan-families/5251605

thenewhumanitarian.orghttps://www.thenewhumanitarian.org/news/2026/06/02/data-600000-gaza-households-exposed-wfp-cyber-attack

therecord.mediahttps://therecord.media/un-food-agency-investigates-gaza-aid-breach

Related incidents

Data breachUnknownMay 22, 2026

Data leak at the Haute-Garonne departmental digital media library

In May 2026, the Haute-Garonne departmental digital media library network (media31.mediatheques.fr) confirmed an intrusion after the threat actor AplaGroup exploited critical vulnerabilities and extracted user-account data on roughly 765 people.

Victim: Haute-Garonne departmental digital media library
Records: 765

Data breachContainedMay 12, 2026

Roubaix: the Kiosque famille suspended after a data leak concerning schoolchildren

The town of Roubaix disclosed a data breach on its Kiosque famille school-services platform after two user accounts were compromised, exposing identity and schooling details of 165 enrolled children and their families; no banking data was affected.

Victim: Roubaix town hall
Records: 165

Data breachUnknownMay 2, 2026

French Ministry of Sports: more than 217,000 photos and sensitive data of educators leaked

A hacker using the alias Cybernox claims to be putting up for sale a database attributed to the French Ministry of Sports, Youth and

Victim: French Ministry of Sports

Data breachOngoingMay 2, 2026

Service Civique: contacts from public and association organisations published after a cyberattack

France's Agence du Service Civique disclosed a personal-data breach affecting its volunteer-host training platform, after a database of contacts at accredited organisations — names, emails, postal addresses, phone numbers and accreditation numbers — was published on a cybercrime forum.

Victim: Service Civique