A database containing sensitive, sometimes personal information from the United Nations Trust Fund to End Violence Against Women was openly accessible on the internet, revealing more than 115,000 files related to organizations that partner with or receive funding from UN Women. The documents range from staffing information and contracts to letters and even detailed financial audits about organizations working with vulnerable communities around the world, including under repressive regimes.
Security researcher Jeremiah Fowler discovered the database, which was not password protected or otherwise access controlled, and disclosed the finding to the UN, which secured the database. Such incidents are not uncommon, and many researchers regularly find and disclose examples of exposures to help organizations correct data management mistakes. But Fowler emphasizes that this ubiquity is exactly why it is important to continue to raise awareness about the threat of such misconfigurations. The UN Women database is a prime example of a small error that could create additional risk for women, children, and LGBTQ people living in hostile situations worldwide.
“They’re doing great work and helping real people on the ground, but the cybersecurity aspect is still critical,” Fowler tells WIRED. “I’ve found lots of data before, including from all sorts of government agencies, but these organizations are helping people who are at risk just for being who they are, where they are.”
A spokesperson for UN Women tells WIRED in a statement that the organization appreciates collaboration from cybersecurity researchers and combines any outside findings with its own telemetry and monitoring.
“As per our incident response procedure, containment measures were rapidly put in place and investigative actions are being taken,” the spokesperson said of the database Fowler discovered. “We are in the process of assessing how to communicate with the potential affected persons so that they are aware and alert as well as incorporating the lessons learned to prevent similar incidents in the future.”
The data could expose people in multiple ways. At the organizational level, some of the financial audits include bank account information, but more broadly, the disclosures provide granular detail on where each organization gets its funding and how it budgets. The information also includes breakdowns of operating costs, and details about employees that could be used to map the interconnections between civil society groups in a country or region. Such information is also ripe for abuse in scams since the UN is such a trusted organization, and the exposed data would provide details on internal operations and potentially serve as templates for malicious actors to create legitimate-looking communications that purport to come from the UN.
“You have a list of organizations and details about their staff and activities, and some of the projects I saw had budgets in the millions of dollars,” Fowler says. “If this data fell into the wrong hands or it reached the dark web, you could have scammers or an authoritarian government looking at which organizations are working where, and who they working with, to target them and even find out names of people they’ve been helping.”
This leads to the other crucial element of the finding: In addition to fueling scams and potentially exposing local organizations, the data could be exploited to directly target at-risk individuals with extortion attempts or even local law enforcement action.
“I saw letters from people who were victims of kidnapping, rape, abuse—people telling their stories probably believing that they will remain anonymous,” Fowler says. “There was a letter from someone who had gotten HIV who was helped out by a foundation, and they told their whole story of how their family and friends had turned on them.”
If the finding spurs infrastructure review and other detections, it could go a long way toward helping UN Women—and the sprawling ecosystem of UN organizations more broadly—catch any other easy-to-fix errors and prevent potential data breaches.