UN Database Exposed Sensitive Information Accessible Online
A database containing sensitive, sometimes personal information from the United Nations Trust Fund to End Violence Against Women has been made publicly accessible on the internet, revealing more than 115,000 files related to relating to organizations that cooperate with or receive funding from UN Women. The documents range from personnel and contract information to correspondence and even detailed financial audits of organizations working with vulnerable communities around the world, including under level of repression.
Security researcher Jeremiah Fowler discovered the database was not password protected or access controlled and disclosed this finding to the United Nations, which secured the database. As if problem To be Are not not popularand many researchers regularly find and reveal examples of exposure to help organizations correct data management failures. But Fowler emphasizes that this prevalence is precisely why it is important to continue to raise awareness about the threat of such misconfigurations. The UN Women database is a prime example of how a small error can pose additional risks to women, children and LGBTQ people living in hostile situations around the world.
“They are doing a great job and helping the people who are actually on the ground, but the cybersecurity aspect is still very important,” Fowler told WIRED. “I’ve found a lot of data before, including from all kinds of government agencies, but these organizations are helping people who are at risk just because of who they are, where they are.”
A UN Women spokesperson told WIRED in a statement that the organization appreciates cooperation from cybersecurity researchers and incorporates any external findings with its own monitoring and telemetry activities. Surname.
“In line with our incident response procedures, containment measures were quickly put in place and investigations are ongoing,” the spokesperson said. “We are in the process of evaluating how to communicate with those potentially affected to keep them aware and vigilant, as well as incorporate lessons learned to prevent similar incidents in the future.”
Data can expose people in many ways. At the organizational level, some financial audits include bank account information, but more broadly, disclosures provide granular details about each organization’s funding sources and how it is budgeted. book. The information also includes details on operating costs and staff details that can be used to map the linkages between civil society groups in a country or region. Such information is also ripe for abuse in fraud because the United Nations is a trusted organization and exposed data would provide insight into internal operations and potentially serve as a template for malicious actors to create seemingly legitimate communication purporting to come from the United Nations.