United Nations suffers potential data breach

Hackers could have breached the database long before the UN applied a patch

The UN building with flags in front

Researchers have uncovered vulnerabilities in the United Nations Environmental Program (UNEP) computer systems that could have exposed 100,000 personal data records. 

According to a report by the ethical hacking company Sakura Samurai, which looked at the UN network’s strength, they obtained this data in less than 24 hours. By identifying an endpoint that exposed Git credentials, the researchers used the credentials to download Git repositories and identify user data and personally identifiable information (PII).

“In total, we identified over 100K+ private employee records. We also discovered multiple exposed .git directories on UN owned web servers [ilo.org], the .git contents could then be exfiltrated with various tools such as “git-dumper”,” said researchers.

Travel and employee data was among the findings. Records contained employee IDs, names, employee groups, travel justification, start and end dates, approval status, destination, and the length of stay. Researchers also found HR data, such as nationality, gender, and pay grade, on thousands of employees.

“In total, we found 7 additional credential-pairs which could have resulted in unauthorized access of multiple databases. We decided to stop and report this vulnerability once we were able to access PII that was exposed via Database backups that were in the private projects,” said researchers.

Javvad Malik, security awareness advocate at KnowBe4, told IT Pro it’s easy for organizations, especially global ones, to have data spread across various systems and platforms. 

“Keeping track of all these disparate systems can be challenging enough and ensuring the right security settings are applied and that credentials are appropriately managed is key,” Malik said. “While many technologies and processes exist to help secure organizations to prevent these kinds of issues, it is essential that organizations cultivate a culture of security so that everyone is aware of the role they have to play in securing the organization as it's not something a security department can do on their own."

Martin Jartelius, CSO at Outpost24, told IT Pro the flaws we see in this case are all related to users configuring those servers, leaving files exposed and software misconfigured. 

“Those are flaws in usage, not flaws in software. It is in parts further concerning as those systems were internet exposed, and in turn, held credentials for other systems,” he said.

“With access to some of the indicated information and the simplicity of the breach, attackers may well have access to this information. It is one of the basic controls any experienced analyst performs against a system they are auditing, yet it is still surprisingly often a rewarding path to take provided the attack surface is sufficiently large, such as a full organization."

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Capcom data breach adds another 40,000 estimated victims
data breaches

Capcom data breach adds another 40,000 estimated victims

13 Jan 2021
Parler suffers data leak before being taken offline
social media

Parler suffers data leak before being taken offline

12 Jan 2021
Misconfigured Git servers lead to Nissan data leak
hacking

Misconfigured Git servers lead to Nissan data leak

7 Jan 2021
BackupAssist teams with Wasabi to offer cheaper backup for businesses
backup

BackupAssist teams with Wasabi to offer cheaper backup for businesses

6 Jan 2021

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021