InfoSecBulletin Cybersecurity for mankind
Cybersecurity researcher Jeremiah Fowler found a non-password-protected database with 115,000 records linked to the UN Trust Fund to End Violence against Women. This fund aims to prevent violence against women and girls by supporting organizations that address gender-based violence and promote women’s rights.
The unprotected database contained sensitive financial reports, audits, staff documents, email addresses, contracts, certifications, registration documents, and more, totaling 115,141 files in various formats and 228 GB. Many documents were marked as confidential and shouldn’t have been public. One .xls file listed 1,611 civil society organizations, detailing their UN application numbers, eligibility for support, application status, and mission information.
The database contained scanned passports, ID cards, and staff directories, including names, tax data, salaries, and job roles. It also had documents labeled “victim success stories” with names, email addresses, and personal experiences of those helped by the programs. One letter claimed to be from a Chibok schoolgirl kidnapped by Boko Haram in 2014. Revealing this information could seriously jeopardize the privacy and safety of charity workers and their beneficiaries.
Records showed a connection to UN Women and the UN Trust Fund to End Violence against Women, including reference letters for the UN and documents with UN logos. I reported my findings to the UN InfoSec and UN Women, and access to the database was restricted the next day. The UN Information Security team quickly replied, stating the issue was specific to UN Women and advised me to report it to them.
The files appeared to belong to the UN Women agency, but it’s unclear if they managed the non-password protected database or if a third-party contractor did. It’s also unknown how long the records were exposed or if anyone accessed them, as only an internal forensic audit can clarify this. I did not receive a response from UN Women by the time of publication.
A spokesperson for UN Women tells WIRED in a statement that the organization appreciates collaboration from cybersecurity researchers and combines any outside findings with its own telemetry and monitoring.
“As per our incident response procedure, containment measures were rapidly put in place and investigative actions are being taken,” the spokesperson said of the database Fowler discovered. “We are in the process of assessing how to communicate with the potential affected persons so that they are aware and alert as well as incorporating the lessons learned to prevent similar incidents in the future.”
