United Nations suffers potential data breach

Hackers could have breached the database long before the UN applied a patch

The UN building with flags in front

Researchers have uncovered vulnerabilities in the United Nations Environmental Program (UNEP) computer systems that could have exposed 100,000 personal data records. 

According to a report by the ethical hacking company Sakura Samurai, which looked at the UN network’s strength, they obtained this data in less than 24 hours. By identifying an endpoint that exposed Git credentials, the researchers used the credentials to download Git repositories and identify user data and personally identifiable information (PII).

“In total, we identified over 100K+ private employee records. We also discovered multiple exposed .git directories on UN owned web servers [ilo.org], the .git contents could then be exfiltrated with various tools such as “git-dumper”,” said researchers.

Travel and employee data was among the findings. Records contained employee IDs, names, employee groups, travel justification, start and end dates, approval status, destination, and the length of stay. Researchers also found HR data, such as nationality, gender, and pay grade, on thousands of employees.

“In total, we found 7 additional credential-pairs which could have resulted in unauthorized access of multiple databases. We decided to stop and report this vulnerability once we were able to access PII that was exposed via Database backups that were in the private projects,” said researchers.

Javvad Malik, security awareness advocate at KnowBe4, told IT Pro it’s easy for organizations, especially global ones, to have data spread across various systems and platforms. 

“Keeping track of all these disparate systems can be challenging enough and ensuring the right security settings are applied and that credentials are appropriately managed is key,” Malik said. “While many technologies and processes exist to help secure organizations to prevent these kinds of issues, it is essential that organizations cultivate a culture of security so that everyone is aware of the role they have to play in securing the organization as it's not something a security department can do on their own."

Martin Jartelius, CSO at Outpost24, told IT Pro the flaws we see in this case are all related to users configuring those servers, leaving files exposed and software misconfigured. 

“Those are flaws in usage, not flaws in software. It is in parts further concerning as those systems were internet exposed, and in turn, held credentials for other systems,” he said.

“With access to some of the indicated information and the simplicity of the breach, attackers may well have access to this information. It is one of the basic controls any experienced analyst performs against a system they are auditing, yet it is still surprisingly often a rewarding path to take provided the attack surface is sufficiently large, such as a full organization."

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Are you over-sharing online?
social media

Are you over-sharing online?

1 Sep 2021
What is customer identity and access management? 
identity and access management (IAM)

What is customer identity and access management? 

19 Aug 2021
Indiana notifies 750,000 after COVID-19 tracing data accessed
data breaches

Indiana notifies 750,000 after COVID-19 tracing data accessed

18 Aug 2021
Pearson fined $1 million for downplaying severity of 2018 breach
data breaches

Pearson fined $1 million for downplaying severity of 2018 breach

17 Aug 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021
Intuit plans end-to-end SMB platform after $12 billion Mailchimp acquisition
mergers and acquisitions

Intuit plans end-to-end SMB platform after $12 billion Mailchimp acquisition

14 Sep 2021