A cybersecurity researcher has uncovered a major data breach affecting the United Nations Trust Fund to End Violence against Women, exposing a vast trove of sensitive information. The breach, discovered by vpnMentor researcher Jeremiah Fowler, involved a non-password-protected database containing over 115,000 records. These records included a wide range of sensitive data, encompassing financial reports, audits, bank account information, staff documents, email addresses, and more.
The exposed data also included personal information, such as scanned passports, ID cards, staff directories, tax data, salary information, and names. Notably, one .xls file contained a detailed list of 1,611 civil society organizations working with the UN Trust Fund, including their internal application numbers, eligibility for support, application status, and detailed information about their missions.
Fowler highlighted the seriousness of the breach, stating that none of this data should have been publicly accessible. The researcher found that some files were marked as confidential, further emphasizing the gravity of the situation.
Fowler responsibly reported his findings to the UN’s InfoSec address and UN Women, prompting swift action to secure the database. Access was restricted the following day, mitigating further exposure. However, questions remain regarding the duration of the public accessibility and whether other individuals or entities accessed the sensitive files.
This data breach raises significant concerns about the security of sensitive data within UN organizations and the potential misuse of the exposed information. It underscores the need for stringent security measures and a proactive approach to preventing future breaches. The vulnerability of these vital organizations highlights the critical importance of cybersecurity and data protection in safeguarding sensitive information and protecting the privacy of individuals and organizations.