Over 102,000 UN Employees Had Their PII Exposed

  • The United Nations has gone through another major security lapse, exposing the PII of thousands of its employees.
  • The data was located and copied by white-hat hackers who could very easily infiltrate deeper.
  • The accessed data include full names, email addresses, pay grade, ID numbers, travel details, and more.

A poorly configured Git repository has exposed the personally identifiable information (PII) of over 102,000 employees of the United Nations Environmental Programme (UNEP). The dataset's discovery came from white-hat hackers of the ‘Sakura Samurai’ group, which was formed only about 10 days ago. The researchers reported the vulnerability to the UN, but not before they managed to exfiltrate all of the exposed data, for confirmation purposes, of course.

As the hackers detail in their blog post, they were going after the UN’s lucrative vulnerability disclosure program payouts but never expected it would be so easy or quick (less than 24 hours) to access a galore of highly-sensitive data.

The details that were copied from the exposed Git repo include the following:

  • Employee ID numbers
  • Full names
  • Employee group
  • Employee pay grade
  • Organization unit ID
  • Organization unit text tags
  • Travel records, travel justification, destination, duration of stay, and approval status
  • Employee emails
  • Employee work subareas
  • Project IDs
  • Project countries and areas
  • Grant and co-financing amounts
  • Project agencies
  • Funding sources
  • Project period
  • Project approval status

The report to the UN happened on January 4, 2021, but the intergovernmental organization initially failed to realize the scope of the problem. Soon, UNEP activated its DevOps to help secure the data, which eventually happened after about a week had passed. Whether or not that was enough time for malicious actors to access the data remains unknown, but it’s very likely.

As the researchers explain, they found an additional seven credential pairs in the original set of data, which would give them access to the UNEP production environment and more GitHub projects holding multiple other databases. As this was going way too far for their research purposes, they decided to stop there and report the vulnerability. This doesn’t mean that other actors moved in the same way, so the impact of this incident could be deeper and wider than what is deduced from this report alone.

About a year ago, it was discovered that hackers had managed to breach into forty central UN servers and steal 400 GB in the process. Back then, the organization decided it would be better not to disclose the incident, but it still became public after six months and thanks to investigative journalists’ work. Evidently, all of the UN’s recent investments in bolstering its cyber-security were not nearly enough, as the crucial international organization is still pretty easy to hack into.

Shanghai Masters 2023 Live Stream: How to Watch Tennis Online from Anywhere
The 2023 ATP Tour continues this week with one of the most prestigious events of the year set to take place. The...
How to Watch Forged in Fire Season 10 Online from Anywhere
Forged in Fire is an exciting competition show where world-class bladesmiths re-create historical weapons. The show will be available in the US...
How to Watch SurrealEstate Season 2 Online from Anywhere
Did a ghost spook away potential homebuyers from your charming 2LDK? Or perhaps a terrifying encounter with a werewolf in the basement...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari