A database believed to belong to the United Nations Belief Fund to Finish Violence towards Ladies has been found unsecured on-line, containing monetary experiences, checking account info, workers particulars, sufferer testimonies and extra.
The database, containing a complete 228 GB of knowledge, was found by cybersecurity researcher Jeremiah Fowler and reported to vpnMentor.
It lacked any password safety, with the 115,141 recordsdata displayed unencrypted and accessible to anybody with an web connection.
Sufferer and employee info uncovered
Whereas at the moment unconfirmed, the database contained info linked it to the UN Ladies and UN Belief Fund to Finish Violence towards Ladies, together with letters and paperwork addressed to the UN and stamped with UN logos, with particular reference to UN Ladies.
Amongst the data throughout the database, Fowler recognized scanned passport paperwork and ID playing cards, alongside detailed info on workers roles together with names, job roles, wage info and tax information.
“There have been additionally paperwork labeled as “sufferer success tales” or testimonies,” Fowler wrote in his report for vpnMentor. “A few of these contained the names and e-mail addresses of these helped by the packages, in addition to particulars of their private experiences. For example, one of many letters presupposed to be from a Chibok schoolgirl who was one of many 276 people kidnapped by Boko Haram in 2014.”
It’s not recognized how lengthy the database has been uncovered for, whether or not the database is managed by the UN Ladies group or a 3rd get together, or whether or not the database has been accessed by anybody exterior of the group.
Fowler explains a number of hypothetical conditions through which the info might be misused, corresponding to convincing spear phishing assaults towards uncovered e-mail addresses utilizing manipulated paperwork. Theoretically, a menace actor might additionally use the paperwork to realize a high-level understanding of the group’s organizational and monetary structure.
The UN Ladies group has a rip-off alert posted on its web site which is undated, however the web page dates again to at the least July 2022, with an replace occurring in July 2024 including a information to utilizing the Quantum procurement verification portal. Fowler alerted the UN Info Safety workforce to the unprotected database, and acquired a response stating, “The reported vulnerability doesn’t pertain to us (the United Nations Secretariat) and is for UN Ladies. Please report the vulnerability to UN WOMEN.”