Aid's Digital Ledger
On May 14, 2026, an unauthorized actor breached the World Food Programme's self-registration application — known internally as the People Portal — used by Palestinians in Gaza to enroll for food, cash, and nutritional assistance. The intrusion exposed records tied to roughly 600,000 households. Because many individuals register separately, Access Now estimates the system held data on more than two million registrants in total, representing close to the entire current population of the territory.
What was exposed goes well beyond a name and phone number. According to the WFP's own notification and confirmed by Access Now, the breached records included names, national ID numbers, date of birth, marital status, family member IDs, mobile numbers, health status indicators (including pregnancy and disability), neighborhood-level location data, and the number of times each household had been displaced since October 7, 2023. In ordinary circumstances, this is sensitive personal data. In a live conflict zone where military targeting has been documented, it is potentially lethal information.
WFP waited 17 days before notifying beneficiaries — issuing a message via Telegram on May 31. By that point, affected individuals had had no opportunity to take protective measures for more than two weeks. The organization said it was unaware of any misuse or exploitation of the data and has since suspended the platform pending security improvements.
The Case for Digital Enrollment
The strongest argument for WFP's data practices is also the most obvious: the agency needed this information to deliver aid at scale. Verification systems exist to prevent duplicate registrations and ensure scarce resources reach the most vulnerable. Household-level data on displacement and health status enables WFP to prioritize nutritional supplementation for pregnant women and the disabled. In a population facing mass starvation, a cumbersome enrollment system that delays assistance has its own humanitarian cost. Defenders of aid digitization also note that paper-based systems carry their own risks — they can be intercepted, forged, or destroyed — and that properly secured digital platforms can deliver faster, more equitable distribution. The problem is not digital enrollment as such.
Where the System Failed
But the breadth of data collected raises a serious question of proportionality. Displacement history going back to October 2023, specific health conditions, and marital status are not required to deliver a food parcel or a cash transfer to the right person. The principle of data minimization — collect only what is strictly necessary for the stated purpose — is not a technicality. In a conflict environment, every additional data field is a potential weapon if captured.
The ICRC's Handbook on Data Protection in Humanitarian Action states plainly that "protecting individuals' personal data is an integral part of protecting their life, integrity and dignity." The OCHA Centre for Humanitarian Data has maintained Data Responsibility Guidelines since 2021, updated as recently as January 2025, that call for context-specific threat modeling across humanitarian response operations in 21 countries. These frameworks existed before May 14, 2026. Neither is binding.
Aaron Martin, a cybersecurity specialist at the University of Virginia, told the Lemkin Institute that WFP is often seen as "the cowboys" — an organization that "takes risks" with technology partnerships. A 2022 external evaluation had already flagged that WFP's "rapidly expanding use of digital technology" was "at risk of failing the people it serves." The breach occurred four years after that warning.
The Accountability Vacuum
Here lies the structural problem. UN agencies are not subject to GDPR or to any national data protection law, by virtue of their diplomatic immunity and operational mandates. No data protection authority can fine WFP. No supervisory body can compel an audit. The frameworks that exist — OCHA's Data Responsibility Guidelines, the IASC Operational Guidance on Data Responsibility (revised April 2023) — are voluntary and self-enforced.
This is not an argument for imposing GDPR-scale administrative overhead on agencies responding to famine and displacement. That would be disproportionate and counterproductive. But proportionate accountability is not the same as no accountability. The 2022 ICRC breach — which exposed data on hundreds of thousands of highly vulnerable people from Red Cross and Red Crescent member societies — prompted calls for exactly this kind of reform. Four years later, the WFP breach is larger, the population affected is in a more acute threat environment, and the same structural gap persists.
Several specific reforms are technically feasible without impeding operations:
- Data minimization by design: Decouple identity verification from aid eligibility. A cryptographic hash of a national ID confirms identity without storing the raw number in a centralized, internet-connected database.
- Offline verification flows: Biometric or token-based verification that does not require continuously accessible stores of health and displacement records.
- Independent security audits: Donor governments that fund WFP's digital infrastructure could condition funding on annual third-party penetration testing and published security certifications.
- Tiered notification timelines: A 17-day delay to notify beneficiaries of a high-severity breach in a conflict zone is indefensible. A 72-hour internal escalation requirement — mirroring the threshold GDPR sets for supervisory authority notification — is a proportionate minimum.
What Comes Next
Access Now has called for a moratorium on reactivating the SRA until WFP completes a comprehensive risk assessment and engages affected communities. That is the right starting position. The People Portal should not go back online with the same data architecture that made this breach possible.
The argument for digital innovation in humanitarian delivery is strong. Faster verification, lower fraud, better targeting of nutritional support — these are real gains. But innovation without accountability is not pro-development. It is a liability offloaded onto the people least able to bear it. The WFP breach is a case for smarter, more proportionate data engineering — not technophobia, and not impunity. The sector needs a binding floor: not GDPR, but not nothing.