A database believed to belong to the United Nations Trust Fund to End Violence against Women has been discovered unsecured online, containing financial reports, bank account information, staff details, victim testimonies and more.
The database, containing a total 228 GB of information, was discovered by cybersecurity researcher Jeremiah Fowler and reported to vpnMentor.
It lacked any password protection, with the 115,141 files displayed unencrypted and accessible to anyone with an internet connection.
Victim and worker information exposed
While currently unconfirmed, the database contained information linked it to the UN Women and UN Trust Fund to End Violence against Women, including letters and documents addressed to the UN and stamped with UN logos, with specific reference to UN Women.
Amongst the information within the database, Fowler identified scanned passport documents and ID cards, alongside detailed information on staff roles including names, job roles, salary information and tax data.
“There were also documents labeled as “victim success stories” or testimonies,” Fowler wrote in his report for vpnMentor. “Some of these contained the names and email addresses of those helped by the programs, as well as details of their personal experiences. For instance, one of the letters purported to be from a Chibok schoolgirl who was one of the 276 individuals kidnapped by Boko Haram in 2014.”
It is not known how long the database has been exposed for, whether the database is managed by the UN Women organization or a third party, or whether the database has been accessed by anyone outside of the organization.
Fowler explains several hypothetical situations in which the data could be misused, such as convincing spear phishing attacks against exposed email addresses using manipulated documents. Theoretically, a threat actor could also use the documents to gain a high-level understanding of the organization’s organizational and financial layout.
The UN Women organization has a scam alert posted on its website which is undated, but the page dates back to at least July 2022, with an update occurring in July 2024 adding a guide to using the Quantum procurement verification portal. Fowler alerted the UN Information Security team to the unprotected database, and received a response stating, “The reported vulnerability does not pertain to us (the United Nations Secretariat) and is for UN Women. Please report the vulnerability to UN WOMEN.”
More from TechRadar Pro
- Take a look at the best identity theft protection tools around
- The United Nations ditches Big Tech in a bid for security
- These are the best parental control apps