100,000+ United Nations documents exposed by cybersecurity researcher

A cybersecurity researcher has discovered more than 100,000 United Nations-associated documents containing financial reports, audits, bank account information, staff documents, email addresses, and more in a non-password-protected text database.

8

vpnMentor cybersecurity researcher Jeremiah Fowler has published a new report revealing the discovery of a non-password-protected database that contained 115,000 records associated with the United Nations Trust Fund to End Violence against Women. The trust fund was set up to provide financial and technical support to local, national, and regional organizations working toward reducing gender-based violence. According to the report the database held 115,141 files that amounted to 228GB of data.

According to Fowler, many of the documents in the database were marked as confidential, with the cybersecurity researcher pointing out one .xls file contained a list of "1,611 civil society organizations, including their internal UN application numbers, whether they are eligible for support, the status of their applications, whether they are local or national, and a range of detailed answers regarding the groups' missions."

The vpnMentor cybersecurity researcher wrote none of this data should have been available to the public, noting that some files even contained scanned passports, ID cards, staff directories, tax data, salary information, names, and more. Fowler states he sent his findings to the general UN InfoSec address and UN Women, and access to the database was restricted the next day. However, Fowler writes that it is unknown how long public access to the database was available or if anyone else accessed the files.