Security lapses leave beneficiary data at risk

What you need to know:

Sensitive personal and financial data on tens of thousands of people in humanitarian aid projects is at risk from hackers, according to a damning security analysis by a financial technology startup.

Aid agencies have put some projects on hold while reviewing the security of a popular online system for handling aid distributions, IRIN has learnt.

Sensitive personal and financial data on tens of thousands of people in humanitarian aid projects is at risk from hackers, according to a damning security analysis by a financial technology startup.

In a report, Mautinoa Technologies said it identified several security problems in a software platform used by aid agencies to store the data of vulnerable people, exposing them to “very significant risks”. The company behind the platform, Red Rose, denies the claims.

Mautinoa, a new provider of payment systems and technologies, was able to enter a cloud-based server of the NGO, Catholic Relief Services, and access names, photographs, family details, PIN numbers and map coordinates for more than 8,000 families receiving assistance from the NGO in West Africa.

In response, Oxfam, one of several customers of the platform, told IRIN it has “temporarily suspended uploading new data,” to its Red Rose systems, as a precautionary measure. A spokesperson told IRIN the NGO, depending on its assessment, may review plans to implement the system in Bangladesh, where it is currently training staff. In recent days, a Red Rose server used for a CARE project in West Africa until May was taken offline. IOM told IRIN it is making plans to reduce its use of external “vendor support.”

The incident is a real-world reminder of the possibility of personal details of aid beneficiaries falling into the wrong hands and the potential for fraud, as aid agencies increasingly turn to voucher systems and digital cash transfers as more efficient forms of assistance.

The risks are significant: gaps in legal and ethical frameworks for humanitarian operations and a lack of professional skills in digital data amount to “a disaster waiting to happen,” according to a recent paper from the Harvard Humanitarian Initiative.

Humanitarian security analyst Rakesh Bharania, now of Tarian Innovation LLC, and former co-chair of the security and privacy working group of humanitarian-corporate alliance NetHope, told IRIN “the risks to vulnerable people are extremely serious” and there’s an “under-appreciated obligation” on aid groups and donors to tackle the issue.

To manage its cash and voucher transfers, CRS – like at least 10 other aid groups – uses the web-based system run by Red Rose, a young company based in Turkey and the UK that has rapidly emerged in recent years as a leading vendor of online data management platforms and apps for humanitarian responders.

By following instructions and clues in a public training video, Mautinoa got access to CRS’s administrative dashboard, giving it full control to view and edit financial and personal details, and to download data. The system, although not connected to the banking system, contains financial records totalling about $4 million, provided by donors including USAID and the European Commission.

CRS, an NGO which manages $900 million of annual income and works in over 100 countries, confirmed the incident to IRIN, blaming an error in “password management”, but Mautinoa said it had found deeper flaws in the software. These claims Red Rose vigorously denies.

The revelations could cause a “shockwave” in the aid sector, according to one analyst. Another said the implications of a bigger security breach could be “terrifying” for the safety of vulnerable refugees and other people in crisis situations.