Over 102,000 UN Employees Had Their PII Exposed

By Bill Toulas / January 11, 2021

A poorly configured Git repository has exposed the personally identifiable information (PII) of over 102,000 employees of the United Nations Environmental Programme (UNEP). The dataset's discovery came from white-hat hackers of the ‘Sakura Samurai’ group, which was formed only about 10 days ago. The researchers reported the vulnerability to the UN, but not before they managed to exfiltrate all of the exposed data, for confirmation purposes, of course.

As the hackers detail in their blog post, they were going after the UN’s lucrative vulnerability disclosure program payouts but never expected it would be so easy or quick (less than 24 hours) to access a galore of highly-sensitive data.

The details that were copied from the exposed Git repo include the following:

The report to the UN happened on January 4, 2021, but the intergovernmental organization initially failed to realize the scope of the problem. Soon, UNEP activated its DevOps to help secure the data, which eventually happened after about a week had passed. Whether or not that was enough time for malicious actors to access the data remains unknown, but it’s very likely.

As the researchers explain, they found an additional seven credential pairs in the original set of data, which would give them access to the UNEP production environment and more GitHub projects holding multiple other databases. As this was going way too far for their research purposes, they decided to stop there and report the vulnerability. This doesn’t mean that other actors moved in the same way, so the impact of this incident could be deeper and wider than what is deduced from this report alone.

About a year ago, it was discovered that hackers had managed to breach into forty central UN servers and steal 400 GB in the process. Back then, the organization decided it would be better not to disclose the incident, but it still became public after six months and thanks to investigative journalists’ work. Evidently, all of the UN’s recent investments in bolstering its cyber-security were not nearly enough, as the crucial international organization is still pretty easy to hack into.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: