The World Food Programme Must Ensure the Protection of the Palestinian Data: 7amleh demands Transparency and Accountability 

June 6, 2026, 7amleh - The Arab Center for the Advancement of Social Media is gravely concerned by the cyber-attack on the World Food Programme that has exposed the personal data of approximately 600,000 Palestinian households in Gaza, drawn from a registered population of more than two million people. According to WFP’s own notification, the breach of its Self-Registration Application (SRA) exposed names, identification numbers, mobile numbers and “location data.” By WFP’s own account, this may be the largest known breach of humanitarian beneficiary data to date.

This data was not surrendered freely. It was provided as the price of survival by a population the International Court of Justice has found to be plausibly subjected to genocidal acts, under provisional measures since January 2024. In Gaza, to register was to eat. Consent given under siege and engineered starvation is not meaningful consent — it is a necessity. The duty of care owed over such data is therefore at its highest, and it is against that standard that the handling of this incident must be measured

WFP plays an essential role in keeping Palestinians in Gaza alive, and the agency was itself the target of a malicious attack. That does not lessen the responsibility owed to the people whose data it holds. The reported facts raise serious questions that only WFP can answer: that its own staff had flagged the underlying vulnerability; that the breach occurred on 14 May 2026; that the affected people were notified only seventeen days later, on 31 May; and that, as of that date, no risk assessment had reportedly been conducted. Measured against the seventy-two-hour benchmark widely regarded as the standard for breach notification, that delay left people without the information they needed to protect themselves.

The stakes in Gaza are exceptional. In most settings, exposed registration data is a privacy harm; here, it can be more. Names linked to identification numbers, phone numbers, and location can, in the wrong hands, assist in identifying and locating individuals. This concern is not abstract. Palestinians seeking aid have been killed, and the occupying power has pressed humanitarian organisations to hand over the personal data of those connected to aid operations in Gaza. Since 2025, under Israeli Resolution No. 2542, such transfers have been demanded as a condition of operating; organisations including Médecins Sans Frontières and Oxfam refused, warning that giving data to a party to the conflict would endanger lives, and the requirement has been contested in court. The category of data those organisations fought to protect is the same category now exposed by this attack. That is why this incident cannot be treated as routine.

The applicable obligations are clear. The right to privacy is protected under Article 17 of the ICCPR and Article 12 of the UDHR, and the UN and WFP are bound by their own data-protection frameworks — the UN Personal Data Protection and Privacy Principles (2018) and WFP’s Guide to Personal Data Protection and Privacy — which require data minimisation, risk assessment, security and timely notification. Nor is the threat unforeseeable: the 2022 cyber-attack on the International Committee of the Red Cross, which exposed the data of more than 515,000 vulnerable people, already placed the entire sector on notice. These standards exist to be applied before harm occurs.

7amleh calls on WFP to:

1.     Be fully transparent about what happened — the timeline of the attack, its detection, and how affected people were notified — including clarifying what “location data” was held and exposed, so that the true level of risk can be understood.

2.     Commission an independent investigation with Palestinian civil-society participation, rather than relying on internal review alone.

3.     Publish a risk and harm-mitigation assessment, with concrete protective measures for affected people, secured re-registration, and active efforts to remove any exposed data from circulation.

4.     Adopt clear, transparent Data protection policy and data minimisation as binding policy — collecting identifying data such as ID numbers and location only where genuinely necessary to deliver assistance, and protecting it accordingly.

5.     Guarantee non-transfer — confirming, across the UN system, that no Palestinian beneficiary or aid-worker data will be shared with any party to the conflict under any “access condition.”

6.     Ensure accountability and report transparently to WFP’s Executive Board and donors, including the European Union, for the failures an independent investigation identifies.

The people of Gaza have been asked to trust the institutions of the international community with their names, their numbers, and their locations, at the precise moment those institutions have failed to protect their lives. That trust has now been broken twice: once by those who would weaponise this data, and once by the system that failed to safeguard it. Clarity, accountability, and the protection of Palestinian data are not favours to be requested. They are obligations to be met.