United Nations suffers potential data breach

Hackers could have breached the database long before the UN applied a patch

The UN building with flags in front

Researchers have uncovered vulnerabilities in the United Nations Environmental Program (UNEP) computer systems that could have exposed 100,000 personal data records. 

According to a report by the ethical hacking company Sakura Samurai, which looked at the UN network’s strength, they obtained this data in less than 24 hours. By identifying an endpoint that exposed Git credentials, the researchers used the credentials to download Git repositories and identify user data and personally identifiable information (PII).

“In total, we identified over 100K+ private employee records. We also discovered multiple exposed .git directories on UN owned web servers [ilo.org], the .git contents could then be exfiltrated with various tools such as “git-dumper”,” said researchers.

Travel and employee data was among the findings. Records contained employee IDs, names, employee groups, travel justification, start and end dates, approval status, destination, and the length of stay. Researchers also found HR data, such as nationality, gender, and pay grade, on thousands of employees.

“In total, we found 7 additional credential-pairs which could have resulted in unauthorized access of multiple databases. We decided to stop and report this vulnerability once we were able to access PII that was exposed via Database backups that were in the private projects,” said researchers.

Javvad Malik, security awareness advocate at KnowBe4, told IT Pro it’s easy for organizations, especially global ones, to have data spread across various systems and platforms. 

“Keeping track of all these disparate systems can be challenging enough and ensuring the right security settings are applied and that credentials are appropriately managed is key,” Malik said. “While many technologies and processes exist to help secure organizations to prevent these kinds of issues, it is essential that organizations cultivate a culture of security so that everyone is aware of the role they have to play in securing the organization as it's not something a security department can do on their own."

Martin Jartelius, CSO at Outpost24, told IT Pro the flaws we see in this case are all related to users configuring those servers, leaving files exposed and software misconfigured. 

“Those are flaws in usage, not flaws in software. It is in parts further concerning as those systems were internet exposed, and in turn, held credentials for other systems,” he said.

“With access to some of the indicated information and the simplicity of the breach, attackers may well have access to this information. It is one of the basic controls any experienced analyst performs against a system they are auditing, yet it is still surprisingly often a rewarding path to take provided the attack surface is sufficiently large, such as a full organization."

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Hackers sell $38 million in gift cards on Russian marketplace
hacking

Hackers sell $38 million in gift cards on Russian marketplace

7 Apr 2021
Personal data of 533 million Facebook users found on hacking forum
data protection

Personal data of 533 million Facebook users found on hacking forum

5 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
UK exploring plans to launch its own digital currency
digital currency

UK exploring plans to launch its own digital currency

19 Apr 2021