United Nations suffers potential data breach

Researchers have uncovered vulnerabilities in the United Nations Environmental Program (UNEP) computer systems that could have exposed 100,000 personal data records.

According to a report by the ethical hacking company Sakura Samurai, which looked at the UN network’s strength, they obtained this data in less than 24 hours. By identifying an endpoint that exposed Git credentials, the researchers used the credentials to download Git repositories and identify user data and personally identifiable information (PII).

“In total, we identified over 100K+ private employee records. We also discovered multiple exposed .git directories on UN owned web servers [ilo.org], the .git contents could then be exfiltrated with various tools such as “git-dumper”,” said researchers.

Travel and employee data was among the findings. Records contained employee IDs, names, employee groups, travel justification, start and end dates, approval status, destination, and the length of stay. Researchers also found HR data, such as nationality, gender, and pay grade, on thousands of employees.

“In total, we found 7 additional credential-pairs which could have resulted in unauthorized access of multiple databases. We decided to stop and report this vulnerability once we were able to access PII that was exposed via Database backups that were in the private projects,” said researchers.

Javvad Malik, security awareness advocate at KnowBe4, told IT Pro it’s easy for organizations, especially global ones, to have data spread across various systems and platforms.

“Keeping track of all these disparate systems can be challenging enough and ensuring the right security settings are applied and that credentials are appropriately managed is key,” Malik said. “While many technologies and processes exist to help secure organizations to prevent these kinds of issues, it is essential that organizations cultivate a culture of security so that everyone is aware of the role they have to play in securing the organization as it's not something a security department can do on their own."

Martin Jartelius, CSO at Outpost24, told IT Pro the flaws we see in this case are all related to users configuring those servers, leaving files exposed and software misconfigured.

“Those are flaws in usage, not flaws in software. It is in parts further concerning as those systems were internet exposed, and in turn, held credentials for other systems,” he said.

“With access to some of the indicated information and the simplicity of the breach, attackers may well have access to this information. It is one of the basic controls any experienced analyst performs against a system they are auditing, yet it is still surprisingly often a rewarding path to take provided the attack surface is sufficiently large, such as a full organization."