Over 102,000 UN Employees Had Their PII Exposed
- The United Nations has gone through another major security lapse, exposing the PII of thousands of its employees.
- The data was located and copied by white-hat hackers who could very easily infiltrate deeper.
- The accessed data include full names, email addresses, pay grade, ID numbers, travel details, and more.
A poorly configured Git repository has exposed the personally identifiable information (PII) of over 102,000 employees of the United Nations Environmental Programme (UNEP). The dataset's discovery came from white-hat hackers of the ‘Sakura Samurai’ group, which was formed only about 10 days ago. The researchers reported the vulnerability to the UN, but not before they managed to exfiltrate all of the exposed data, for confirmation purposes, of course.
As the hackers detail in their blog post, they were going after the UN’s lucrative vulnerability disclosure program payouts but never expected it would be so easy or quick (less than 24 hours) to access a galore of highly-sensitive data.
The details that were copied from the exposed Git repo include the following:
- Employee ID numbers
- Full names
- Employee group
- Employee pay grade
- Organization unit ID
- Organization unit text tags
- Travel records, travel justification, destination, duration of stay, and approval status
- Employee emails
- Employee work subareas
- Project IDs
- Project countries and areas
- Grant and co-financing amounts
- Project agencies
- Funding sources
- Project period
- Project approval status
The report to the UN happened on January 4, 2021, but the intergovernmental organization initially failed to realize the scope of the problem. Soon, UNEP activated its DevOps to help secure the data, which eventually happened after about a week had passed. Whether or not that was enough time for malicious actors to access the data remains unknown, but it’s very likely.
As the researchers explain, they found an additional seven credential pairs in the original set of data, which would give them access to the UNEP production environment and more GitHub projects holding multiple other databases. As this was going way too far for their research purposes, they decided to stop there and report the vulnerability. This doesn’t mean that other actors moved in the same way, so the impact of this incident could be deeper and wider than what is deduced from this report alone.
About a year ago, it was discovered that hackers had managed to breach into forty central UN servers and steal 400 GB in the process. Back then, the organization decided it would be better not to disclose the incident, but it still became public after six months and thanks to investigative journalists’ work. Evidently, all of the UN’s recent investments in bolstering its cyber-security were not nearly enough, as the crucial international organization is still pretty easy to hack into.