Over 115,000 United Nations Documents Associated to Gender Equality Exposed Online

[…] The non-password protected, non encrypted/clear text database contained financial reports and audits (including bank account information), staff documents, email addresses, contracts, certifications, registration documents, and much more. In total, the database held 115,141 files in.PDF,.xml,.jpg,,png, or other formats, amounting to 228 GB. Many of the documents I saw were marked as confidential and should have not been made publicly available. One single.xls file contained a list of 1,611 civil society organizations, including their internal UN application numbers, whether they are eligible for support, the status of their applications, whether they are local or national, and a range of detailed answers regarding the groups’ missions.

I also saw numerous scanned passports, ID cards, and staff directories of individual organizations. The staff documents included staff names, tax data, salary information, and job roles. There were also documents labeled as “victim success stories” or testimonies. Some of these contained the names and email addresses of those helped by the programs, as well as details of their personal experiences. For instance, one of the letters purported to be from a Chibok schoolgirl who was one of the 276 individuals kidnapped by Boko Haram in 2014. Exposure of this information could potentially have serious privacy or safety implications to charity workers and those individuals they provide assistance or services to.

The records indicated an association with UN Women and the UN Trust Fund to End Violence against Women. For instance, there were reference letters addressed directly to the UN, documents stamped with UN logos, and file names indicating the UN Women organization. I immediately sent a responsible disclosure notice of my findings to the general UN InfoSec address and UN Women, and public access to the database was restricted the following day. I received an immediate reply to my disclosure notice from the UN Information Security team stating “The reported vulnerability does not pertain to us (the United Nations Secretariat) and is for UN Women. Please report the vulnerability to UN WOMEN”.

Although the records indicated the files belonged to the UN Women agency, it is not known if they owned and managed the non-password protected database or if it was under the control of a third-party contractor. It is also unknown how long the records were exposed or if anyone else accessed them, as only an internal forensic audit can identify that information. I did not receive a reply from UN Women at the time of publication.

[…]

A scam alert was issued in an undated post on their website that reads “UN Women has been made aware of various correspondences—circulated via email, websites, social media, regular mail, or facsimile—falsely stating that they are issued by, or in association with UN Women, the United Nations, and/or its officials. These scams, which may seek to obtain money and/or, in many cases, personal details from the recipients of such correspondence, are fraudulent”. These scams typically operate by impersonating reputable organizations or individuals and requesting application fees, dues, or other payments.

[…]

Many of the charities operate in countries and regions where the potential threat of violence against women and members of the LGBTQ community is a serious safety concern. Protecting the privacy and identities of these individuals is extremely important. Criminals could potentially use social engineering methods to target charity workers — not only for financial gain, but in an effort to obtain the identities of vulnerable individuals who receive assistance from an organization.

[…]

Source: Over 115,000 United Nations Documents Associated to Gender Equality Exposed Online

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

 robin@edgarbv.com  https://www.edgarbv.com