IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

United Nations suffers potential data breach

Hackers could have breached the database long before the UN applied a patch

The UN building with flags in front

Researchers have uncovered vulnerabilities in the United Nations Environmental Program (UNEP) computer systems that could have exposed 100,000 personal data records. 

According to a report by the ethical hacking company Sakura Samurai, which looked at the UN network’s strength, they obtained this data in less than 24 hours. By identifying an endpoint that exposed Git credentials, the researchers used the credentials to download Git repositories and identify user data and personally identifiable information (PII).

“In total, we identified over 100K+ private employee records. We also discovered multiple exposed .git directories on UN owned web servers [ilo.org], the .git contents could then be exfiltrated with various tools such as “git-dumper”,” said researchers.

Travel and employee data was among the findings. Records contained employee IDs, names, employee groups, travel justification, start and end dates, approval status, destination, and the length of stay. Researchers also found HR data, such as nationality, gender, and pay grade, on thousands of employees.

“In total, we found 7 additional credential-pairs which could have resulted in unauthorized access of multiple databases. We decided to stop and report this vulnerability once we were able to access PII that was exposed via Database backups that were in the private projects,” said researchers.

Javvad Malik, security awareness advocate at KnowBe4, told IT Pro it’s easy for organizations, especially global ones, to have data spread across various systems and platforms. 

“Keeping track of all these disparate systems can be challenging enough and ensuring the right security settings are applied and that credentials are appropriately managed is key,” Malik said. “While many technologies and processes exist to help secure organizations to prevent these kinds of issues, it is essential that organizations cultivate a culture of security so that everyone is aware of the role they have to play in securing the organization as it's not something a security department can do on their own."

Martin Jartelius, CSO at Outpost24, told IT Pro the flaws we see in this case are all related to users configuring those servers, leaving files exposed and software misconfigured. 

“Those are flaws in usage, not flaws in software. It is in parts further concerning as those systems were internet exposed, and in turn, held credentials for other systems,” he said.

“With access to some of the indicated information and the simplicity of the breach, attackers may well have access to this information. It is one of the basic controls any experienced analyst performs against a system they are auditing, yet it is still surprisingly often a rewarding path to take provided the attack surface is sufficiently large, such as a full organization."

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Ten ways to protect your company from the next big data breach
data breaches

Ten ways to protect your company from the next big data breach

18 Feb 2022
Gumtree site code made personal data of users and sellers publicly accessible
data protection

Gumtree site code made personal data of users and sellers publicly accessible

16 Dec 2021
Pizza chain exposed 100,000 employees' Social Security numbers
data breaches

Pizza chain exposed 100,000 employees' Social Security numbers

19 Nov 2021
83% of critical infrastructure companies have experienced breaches in the last three years
cyber security

83% of critical infrastructure companies have experienced breaches in the last three years

11 Nov 2021

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022