Misconfigured UN Database Leaks 228GB of Data on Victims of Gender Violence

A significant data breach has been uncovered, revealing over 115,000 sensitive documents linked to the UN Trust Fund to End Violence against Women. This compromise exposes personal data, financial records, and testimonies from victims, raising substantial privacy and security concerns.

Cybersecurity investigator Jeremiah Fowler identified a misconfigured, unsecured database related to the United Nations (UN) Trust Fund. As detailed in his findings, which were reported to Hackread.com, the database lacked any password protection or security authentication, allowing open access to anyone with internet capabilities.

This exposed database held more than 115,000 documents, amounting to approximately 228 GB of sensitive material. The records included financial statements, employment documentation, email addresses, contracts, along with personal details of victims and charity personnel, stored in formats such as PDF, .XML, .JPG, and PNG.

The leaked information encompassed a broad spectrum of confidential data, including names, tax filings, compensation details, and roles of staff members, personal experiences of victims, banking details, and various organizational documentation, such as contracts and registration forms.

Information within the records establishes a connection to UN Women and the UN Trust Fund, evidenced by letters, logos, and pertinent file names. While the database’s presence indicated ownership by UN Women, questions remain regarding its management and whether it was under the jurisdiction of an external contractor.


Misconfigured UN Database Exposes 228GB of Gender Violence Victims' Data
Screenshot from the exposed data via Jeremiah Fowler

“Although the records indicated the files belonged to the UN Women agency, it is not known if they owned and managed the non-password-protected database or if it was under the control of a third-party contractor.”

Jeremiah Fowler

This incident poses severe risks not only to the privacy but also to the safety of individuals involved in initiatives against gender-based violence. The disclosed information is potentially exploitable by malicious entities, leading to risks such as phishing schemes, identity theft, and extortion attempts targeting those linked to the UN Trust Fund.

Criminals might leverage the leaked data for diverse malicious objectives, including impersonating victims for fraud, instigating phishing attacks, or coercing financial gain from the UN Trust Fund itself. The fallout could particularly endanger vulnerable populations that the UN Trust Fund aims to protect, as personal details may lead to further victimization.

Furthermore, the availability of internal documents grants potential insights to criminals regarding organizational operations, management strategies, and financial frameworks — information not meant for public disclosure. Fowler emphasized the importance of understanding the attack vectors that could have facilitated this breach.

It remains unclear how the database was mismanaged and for what duration it was left vulnerable. The positive note is that following Fowler’s responsible disclosure, UN Women has secured the database and issued a scam alert. They are actively implementing measures to address the risks resulting from this data exposure and to prevent future occurrences.

This breach serves as a stark reminder of the crucial need for robust cybersecurity practices, particularly among humanitarian organizations operating in sensitive environments. The incident underlines the importance of vigilance in data security to safeguard against potential threats in a landscape where cyber risks are increasingly prevalent.

  1. Facial DNA provider leaks biometric data via WordPress folder
  2. 3TB of clips from exposed home security cameras posted online
  3. “BreedReady” database of 1.8m Chinese women surfaced online
  4. Gender Diversity in Cybercrime Forums: Women Users on the Rise
  5. iCloud phishing scam – Man stole private photos of 620,000 women

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *