UN World Food Programme Breach Exposes Data of 600,000 Gaza Households
The United Nations World Food Programme disclosed a breach of its Palestine self-registration application that exposed personal data submitted by Palestinians seeking humanitarian assistance in Gaza. According to statements cited by multiple outlets, unauthorized access on May 14 affected people in roughly 600,000 households and exposed sensitive information including names, identification numbers, phone numbers, and neighborhood-level location details across the Gaza Strip.
WFP said it temporarily suspended the registration platform, contained the incident, and implemented urgent security improvements while keeping food and cash assistance programs running for already registered beneficiaries. The agency has not publicly identified the threat actor, intrusion method, or whether the data was leaked, but warned beneficiaries to be alert to anyone claiming to represent WFP, asking for money or additional information, or sending suspicious links and messages.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
WFP suspends platform and begins containment after breach
After discovering the intrusion, WFP temporarily suspended the affected self-registration platform to contain the incident and implement urgent security improvements. The agency said assistance programs for already registered beneficiaries would continue and warned recipients to be cautious of suspicious messages or requests for money or information.
WFP publicly discloses Gaza aid app breach on Telegram
WFP publicly announced the security incident involving its Gaza self-registration application via Telegram. The disclosure followed the May 14 detection of unauthorized access affecting data from about 600,000 households.
Unauthorized access breaches WFP Gaza aid registration app
On 2026-05-14, unauthorized actors accessed personal data submitted through the World Food Programme's self-registration application used in Palestine for Gaza aid recipients. Exposed data included names, identification numbers, phone numbers, and neighborhood or location details, affecting roughly 600,000 Palestinian households in Gaza.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
World Food Programme breach exposes data of 600k vulnerable Gazan families
theregister.com
Open sourceWorld Food Programme reports data breach affecting Palestinian beneficiaries | brief | SC Media
scworld.com
Open sourceUN food agency investigates breach exposing data of Gaza aid recipients | The Record from Recorded Future News
therecord.media
Open sourceUN food agency discloses breach affecting 600,000 Gaza households
bleepingcomputer.com
Open sourceData of 600,000 Gaza households exposed in WFP cyber-attack
thenewhumanitarian.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Weee! Confirms Customer Data Breach Affecting 1.1 Million Users
Online grocery delivery service **Weee!** confirmed a data breach affecting about **1.1 million customers**, after reports surfaced that a large dataset tied to the company had been leaked online. Exposed information reportedly included names, email addresses, phone numbers, home addresses, and account-related details such as delivery preferences, device information, dates, and customer notes left for couriers; some of those notes allegedly contained sensitive building entry instructions. Reporting linked the leaked dataset to a threat actor associated with other high-profile data exposures, including a prior US Cellular-related leak. The compromised records raise risks of phishing, scams, identity fraud, and physical security concerns because the data could help attackers profile victims or misuse address and access details. Weee! acknowledged the incident as scrutiny grew over how consumer delivery platforms store large volumes of personal information and expand exposure through third-party services.
May 25, 2026
Abu Dhabi Finance Week Cloud Storage Leak Exposes VIP Passport Data
Organizers of **Abu Dhabi Finance Week (ADFW)** inadvertently exposed sensitive identity documents for roughly **700 attendees** after an associated **cloud storage server was left publicly accessible**. Reporting indicated the exposed files included **passport scans, national ID cards, and other personally identifiable information**, affecting high-profile individuals such as former UK Prime Minister **David Cameron** and other global finance and government figures. An independent security researcher reportedly discovered the dataset using common cloud-scanning tools, and the data may have been accessible for **at least two months** before being addressed. The incident underscores ongoing risk from **misconfigured or unsecured cloud storage** supporting major events and third-party registration workflows, where large volumes of identity documents are collected and retained. Other items in the provided set cover unrelated topics (post-quantum planning, phishing kits, supply-chain malware on Android devices, and general security roundups/advice) and do not add material facts about the ADFW exposure.
Mar 21, 2026
Data Breach at French Social Security Agency Pajemploi Exposes 1.2 Million Individuals
Pajemploi, a French social security service under URSSAF that supports parents and home-based childcare providers, has suffered a significant data breach impacting approximately 1.2 million professional caregivers. The breach, detected on November 14, resulted in the theft of personal data including full names, places of birth, postal addresses, social security numbers, names of banking institutions, Pajemploi numbers, and accreditation numbers. However, sensitive information such as bank account numbers (IBANs), email addresses, phone numbers, and account passwords were not accessed. Pajemploi has assured that its operational services remain unaffected and has taken immediate steps to secure its systems, while also notifying the French Data Protection Authority (CNIL) and the National Agency for the Security of Information Systems (ANSSI). All affected individuals will be notified directly by Pajemploi, and the agency has advised heightened vigilance against potential fraudulent communications. The breach specifically targets employees of private employers using the Pajemploi service, raising concerns about the risk of identity theft and social engineering attacks. URSSAF has recommended that users remain alert for suspicious emails or SMS messages that could exploit the exposed data.
Mar 21, 2026