A database containing sensitive and sometimes personal information related to the United Nations Trust Fund to End Violence Against Women was found publicly accessible on the internet. This exposed over 115,000 files concerning organizations affiliated with or funded by UN Women. The contents include staffing details, contracts, letters, and comprehensive financial audits of organizations that support vulnerable communities globally, even within oppressive regimes.
Security researcher Jeremiah Fowler discovered the unsecured database and promptly informed the UN, which has since secured it. Such incidents are not unusual; numerous researchers often uncover and report similar data exposures to assist organizations in rectifying their data management errors. Fowler emphasizes the significance of raising awareness about the dangers of such configuration mistakes, pointing out that the UN Women database exemplifies how a minor error can pose increased risks to women, children, and LGBTQ individuals living in dangerous environments.
“They’re doing excellent work and assisting real people, but cybersecurity remains a critical concern,” Fowler stated to WIRED. “I have encountered many data breaches involving various government entities, but these organizations protect individuals who face risks simply for their identity and circumstances.”
In a statement to WIRED, a UN Women spokesperson expressed gratitude for the collaboration with cybersecurity experts and noted that they integrate external discoveries with their telemetry and monitoring systems.
“As part of our incident response protocols, we quickly implemented containment measures and are undertaking investigations,” the spokesperson said regarding the database discovered by Fowler. “We are currently evaluating how to communicate with potentially affected individuals so they are informed and alert, while also learning from this incident to prevent similar occurrences in the future.”
The exposed data poses risks in various ways. At the organizational level, some financial audits contain bank account information. More broadly, the disclosures reveal detailed insights into each organization’s funding sources and budget allocations. Additionally, the data includes breakdowns of operational expenses and employee information, which could facilitate mapping of connections among civil society groups in different regions. This detailed information can also be exploited by scammers, as the UN’s reputation as a trusted entity could enable malicious actors to create fraudulent communications that appear legitimate..