The Coupang Leak Meant Spam. This One Meant Lives
A hack of the UN World Food Programme exposed the names and home locations of 600,000 Gaza households living in a war zone.
Opening
Dear subscriber, SKT with 26.95 million records, Coupang with 33.7 million, then TVING, then CU parcel deliveries. The data-breach notifications haven’t stopped coming this year. After a leak, the spam calls start, the phishing texts arrive, and — if you’re lucky — that’s where it ends.
But one breach disclosed recently has a completely different “end.” The UN World Food Programme’s registration app for Gaza was hacked, exposing the names, ID numbers, phone numbers, and home locations of 600,000 households that receive food aid. These people live in a war zone. It is a place where a leaked address can become a target.
Let me give you the conclusion up front: this is not a simple security failure. It is a disaster produced by the structure itself — a structure that says “state your name if you want to eat.”
The Locations of 600,000 Households Went to Hackers
On May 14, WFP’s Self-Registration App (SRA) was hacked. This app is the system Gaza residents use to register themselves for food and cash assistance. Verifying identity and confirming eligibility means collecting a substantial amount of personal data. What leaked: names, ID numbers, mobile phone numbers, and the neighborhood-level home locations recorded at registration.
It may be hard to grasp what 600,000 households means. It is roughly 77% of Gaza’s entire population. WFP distributes wheat flour, high-energy biscuits, nutritional supplements, and cash to about 1.6 million people every month. With unemployment at 80%, most of the population cannot put food on the table without aid. WFP is the world’s largest humanitarian organization. It feeds more than 100 million people a year, and Gaza is among its most urgent operations.
There is a more uncomfortable detail in this incident.
An independent security researcher warned WFP’s Palestine team about vulnerabilities in the system on May 12. That was 2 days before the hack. Yet WFP did not notify beneficiaries of the breach until May 31 — 17 days after the attack. According to a whistleblower, WFP conducted no risk assessment in the interim and showed no visible effort to mitigate the security risks facing Gaza residents.
Via Telegram, WFP announced that “all programs — food, cash, nutrition support — continue as normal.” It also said there was no need to delete registration data or re-register. But there is still no confirmation of where the leaked location data went or who accessed it. The attacker’s identity remains unknown. The registration platform has been temporarily suspended for security hardening, but Gaza residents still have no answer to the question “is your address safe?”
State Your Name If You Want to Eat: The Structural Dilemma of Humanitarian Data Collection
There is a reason this leak goes beyond a simple hacking incident. The root of the problem lies in the very structure of how the data is collected.
Through SCOPE1, its beneficiary management system, WFP manages roughly 63.8 million identity records across 80 countries. That includes biometric data — fingerprints, iris scans, photographs. WFP had planned a full rollout of SCOPE in Palestine in 2026. The SRA that was hacked is a separate system from SCOPE, but the sensitivity of the data it collects is not much different.
So how secure is this vast data infrastructure?
A 2017 internal audit had already flagged serious flaws. Personal data was being collected without beneficiary consent, and data was being copied without encryption. The verdict: “Major Improvement Needed.” 4 years later, the 2021 audit repeated the exact same verdict. A 2022 audit of the Palestine office specifically noted that “risks associated with the collection of personal data were not assessed or mitigated due to a lack of internal technical capacity.”
The warnings kept coming; the response never did. Just as Coupang’s JWT key went unrevoked for 5 months, WFP’s data-protection flaws were left unaddressed for years. The scale and context differ, but the root — an organizational culture that ignores warnings — is the same.
Then there is one more controversy. In 2019, WFP signed a $45 million partnership with Palantir, the US military and intelligence data-analytics company. Palantir’s technology underpins WFP’s data integration platform (DOTS). The problem: Palantir also works closely with the CIA, ICE (Immigration and Customs Enforcement), and US military intelligence agencies. It recently signed a $30 million contract for the US government’s system for tracking undocumented immigrants. A UN human rights report named Palantir as part of the “genocide economy” sustaining the Israeli occupation.
The digital rights group Access Now warned that “when humanitarian organizations partner with military-linked technology companies, they risk losing their protected status under international law.” When the same technology optimizes food distribution and tracks immigrants, it means the boundary between humanitarianism and surveillance is already collapsing at the level of technical infrastructure.
So why collect this much data in the first place? The structure is simple. To receive donations, you must prove “how many people got how much” — and that proof requires beneficiary data. To distribute accurately and filter out duplicate registrations, you end up needing biometric data too. Donors demand the data, but they rarely fund the security budget to protect it. To feed people you must know their names; collect the names and someone steals them; the stolen names can become weapons… This vicious cycle is the structural dilemma of humanitarian data.
In a War Zone, Data Becomes a Weapon
What makes this leak especially dangerous is that the data belongs to people in the middle of a conflict.

In Gaza, people are literally dying while trying to collect food aid. According to UN figures, hundreds of Palestinians have been killed to date in the course of WFP food distributions. In an environment like this, the leak of 600,000 households’ home locations means the data could be used to threaten beneficiaries’ physical safety.
This is not the first time. Humanitarian data in conflict zones has been leaked or repurposed again and again, and every time, the greatest harm has fallen on the beneficiaries who handed over their data.
In January 2022, servers at the International Committee of the Red Cross (ICRC) were hacked, exposing the data of 515,000 people who had lost family members to conflict and disaster. The ICRC assessed it as a state-level attack. In 2023, the Norwegian Refugee Council (NRC) was also hit by a cyberattack that compromised its beneficiary database. In Afghanistan in 2021, the Taliban captured biometric devices (HIIDE) left behind by the US military. Inside were the iris scans, fingerprints, and home addresses of Afghans who had cooperated with US forces. That same year, the UN refugee agency (UNHCR) was revealed to have shared Rohingya refugees’ biometric data with the Myanmar government without their consent. That same Myanmar government was the perpetrator of the Rohingya’s persecution. The pattern repeats, but the structure never changes.
And right now, in Gaza, another kind of pressure is underway. On May 20 — 8 days before the WFP leak became public — Israel’s Supreme Court ruled that 19 international aid organizations operating in Gaza and the West Bank must submit lists of their local Palestinian staff. Médecins Sans Frontières (MSF), Oxfam, the Norwegian Refugee Council, and others refused, arguing that “staff could become targets of reprisal,” but the court declared that “security vetting is a core sovereign function of the state” and gave them 30 days. Non-compliance means immediate suspension of operations in Gaza and the West Bank.
The aid groups’ concern is not abstract. According to UN figures, more than 133 NGO staff have been killed in Gaza since October 2023. The organizations offered the court alternatives — independent sanctions screening, donor-audit-based verification systems — ways to satisfy security requirements without handing over staff lists directly. The court rejected them.
One line from the aid groups’ court filing sums up the situation precisely.
“Turning humanitarian organizations into intelligence-gathering arms of a party to the conflict is a direct violation of the principle of neutrality.”
Leaked by hackers, demanded by governments, and collected under donor mandates — humanitarian data is now under pressure from 3 directions at once. As Yale technology and human rights expert Nathaniel Raymond put it, the reality of this field is that the most sensitive data of the world’s most vulnerable people is being guarded on the budget of a shopping-mall security guard.
Oswarld’s Take
From my experience building technology business strategy, data collection is treated as a “table stakes” requirement for market entry in every organization. For companies, customer data is the growth engine; for humanitarian organizations, beneficiary data is the basis for securing donations. The structure is identical. Coupang leaking 33.7 million records because it failed to revoke a single ex-employee’s JWT key, and WFP ignoring 9 years of audit warnings — same root. Data collection is tied directly to revenue or survival, so it comes first; data protection doesn’t show up in the numbers right away, so it gets pushed back.
But watching this case, I think the real question to ask is not about the security budget — it’s about the necessity of collection itself.
After the 2022 hack, the ICRC adopted a strategy of deliberately avoiding centralized biometric data storage. WFP and the ICRC face the same risk, but their responses diverged. The ICRC moved toward “collect less”; WFP is still moving toward “protect better.” The Palantir partnership is an extension of that same choice.
There is a pattern I have seen countless times working on GTM strategy: collecting is easy, protecting is expensive, and reversing a leak is impossible. In Korea, a leak means spam; in a war zone, it means lives at risk. Only organizations that ask “do we really need to collect this data?” before collecting can avoid the disaster that follows a breach. Data you never collect can never be stolen.
Closing
To sum up.
One: the WFP Gaza hack is the result of ignoring warnings repeated since 2017. It is a failure of priorities, not of technology.
Two: humanitarian data is now under threat from 3 directions at once. It is leaked by hackers, demanded by governments, and its collection is mandated by donors.
Three: we need a question one step ahead of “strengthen security” — namely, “do we really need to collect this data?”
After the Coupang leak, we got spam calls. Gaza’s 600,000 households are waiting for tomorrow’s rations without even knowing where their addresses went.
💬 What do you think about a structure that requires people to surrender personal data in order to receive help? Share your thoughts in the comments.
References & Further Reading
Primary sources
- The New Humanitarian, “Data of 600,000 Gaza households exposed in WFP cyber-attack”, 2026.06.02. : The original report on this incident — the most comprehensive account, covering the whistleblower testimony, the SCOPE audit history, and the Palantir relationship.
- The Register, “World Food Programme breach exposes data of 600k vulnerable Gazan families”, 2026.06.05. : A summary of WFP’s official response and the context of Gaza’s food crisis.
- BleepingComputer, “UN World Food Programme breach affects 600,000 Gaza households”, 2026.06.04. : Coverage of the incident timeline from the technical side.
- Times of Israel, “High Court nixes NGOs’ petition against new security regulations on aid”, 2026.05.20. : Covers the Israeli Supreme Court ruling requiring aid groups to submit staff lists. Essential for understanding how it interlocks with the WFP leak, just 8 days apart.
Background
- Privacy International, “One of the UN’s largest aid programmes just signed a deal with the CIA-backed data monolith Palantir”, 2019.02.12. : The analysis that first raised the alarm over the WFP-Palantir partnership.
- TechPolicy.Press, “The ‘Humanitarian Halo’ When Tech Sells One Stack for Aid and War”, 2026.05. : On the ethical problems that arise when the same technology serves both aid and war.
- Rest of World, “Humanitarian organizations keep getting hacked”, 2022.03.30. : The source of the “shopping-mall security guard” analogy. A deep dive into the structural problems of humanitarian cybersecurity.
- MIT Technology Review, “This is the real story of the Afghan biometric databases abandoned to the Taliban”, 2021.08.30. : The full story of the Afghan biometric data capture — a demonstration of how data becomes a weapon in conflict zones.

The author, Kwangseob Ahn, is a professor of business administration at Sejong University and lead consultant at OBF (Oswarld Boutique Consulting Firm). He teaches statistics and data analysis — business data management, business analytics — at the university, while leading GTM strategy and AI strategy consulting in the field, designing the interface between technology and business. He has published academic research on memory architecture for AI dialogue systems (HEMA) and runs Daily Arxiv, a project curating global AI papers every day. He completed a master’s program at Korea University’s Graduate School of Management of Technology and its KMBA. He is the author of The People Who Outsource Their Thinking: Homo Brainless.
Footnotes
-
SCOPE: WFP’s in-house beneficiary identity and entitlement management system. In operation since 2014, it manages roughly 63.8 million identity records across 80 countries, including biometric data such as fingerprints, iris scans, and photographs. Internal audits in 2017 and 2021 both rated it “Major Improvement Needed.” ↩