A database containing confidential, sometimes personal, information from the United Nations Trust Fund to End Violence Against Women was openly accessible on the Internet, revealing more than 115,000 files related to organizations that partner with the UN. Women or receive funding from her. The documents range from personnel and contract information to letters and even detailed financial audits on organizations working with vulnerable communities around the world, even under repressive regimes.
security researcher Jeremiah Fowler discovered the database, which was not password protected or had any access control, and disclosed the discovery to the UN, which secured the database. These incidents are not uncommon, and many researchers regularly find and disclose examples of exposures to help organizations correct data management errors. But Fowler emphasizes that this ubiquity is exactly why it’s important to continue raising awareness about the threat of such misconfigurations. The UN Women database is a prime example of a small error that could create additional risk for women, children and LGBTQ people living in hostile situations around the world.
“They’re doing great work and helping real people on the ground, but the cybersecurity aspect is still critical,” Fowler tells WIRED. “I’ve found a lot of data before, including from all kinds of government agencies, but these organizations are helping people who are at risk simply by being who they are, where they are.”
A UN Women spokesperson told WIRED in a statement that the organization appreciates the collaboration of cybersecurity researchers and combines any external findings with its own telemetry and monitoring.
“Per our incident response procedure, containment measures were quickly implemented and investigative actions are being taken,” the spokesperson said of the database Fowler discovered. “We are in the process of evaluating how to communicate with potentially affected individuals to make them aware and alert, as well as incorporating lessons learned to prevent similar incidents in the future.”
The data could expose people in multiple ways. At the organizational level, some of the financial audits include bank account information, but more generally, disclosures provide granular details about where each organization obtains its funding and how it budgets. The information also includes breakdowns of operating costs and details on employees that could be used to map the interconnections between civil society groups in a country or region. This information is also ripe for abuse in scams, as the UN is a very trusted organization, and the exposed data would provide details about internal operations and potentially serve as templates for malicious actors to create seemingly legitimate communications purporting to come from the UN. .
