A database containing sensitive and often personal information from the United Nations Trust Fund to End Violence Against Women was found to be publicly accessible online, uncovering over 115,000 files related to organizations collaborating with or funded by UN Women. These documents varied widely, including staffing details, contracts, letters, and comprehensive financial audits concerning organizations that support vulnerable communities across the globe, even in oppressive regimes.
Security researcher Jeremiah Fowler identified the database, which lacked password protection or any form of access control, and reported the issue to UN, which then secured the database. Such incidents are not uncommon, as many researchers frequently uncover and report such exposure incidents to aid organizations in rectifying data management errors. Fowler stresses that this prevalence underscores the necessity of maintaining awareness regarding the risks posed by these misconfigurations. The UN Women database serves as a significant example of a minor oversight that could heighten risks for women, children, and LGBTQ individuals living in dangerous situations around the world.
“They’re doing great work and assisting real people on the ground, but the cybersecurity aspect is still crucial,” Fowler remarks to WIRED. “I’ve encountered a lot of data breaches previously, involving various government agencies, but these organizations are supporting individuals who face danger simply for their identity and circumstances.”
A spokesperson for UN Women conveyed to WIRED that the organization values collaborations with cybersecurity researchers and integrates external findings with its internal telemetry and monitoring systems.
“According to our incident response protocol, containment measures were swiftly implemented and investigative actions are underway,” stated the spokesperson regarding the database that Fowler uncovered. “We are currently evaluating how to reach out to potentially affected individuals to ensure they are informed and alert, as well as integrating the insights gained to avert similar occurrences in the future.”
The data poses multiple risks to individuals. At the organizational level, some financial audits include bank account details, while more broadly, the disclosures reveal intricate information about each organization’s funding sources and budgeting practices. The data also includes comprehensive breakdowns of operational expenses and information about employees, potentially enabling mapping of the connections among civil society groups within various countries or regions. Such information is also vulnerable to exploitation in scams, given the trustworthiness of the UN, and the compromised data could provide insights into internal workings and serve as models for malicious actors to fabricate credible communications that appear to originate from the UN.
“You have a compilation of organizations along with insights into their personnel and operations, and some of the projects I observed had budgets running into the millions,” Fowler remarks. “If this information fell into untrustworthy hands or made its way to the dark web, it could enable scammers or oppressive regimes to analyze which organizations operate where and who they collaborate with, allowing them to target those groups and even identify individuals they have been assisting.”
This brings us to another critical aspect of the discovery: Beyond inciting scams and putting local organizations at risk, the data could be misused to directly threaten vulnerable individuals with extortion attempts or even action from local law enforcement.
“I came across letters from individuals who faced tragedies such as kidnapping, rape, and abuse—people sharing their experiences, likely under the belief that their identities would remain confidential,” Fowler recounts. “One letter detailed the story of someone who contracted HIV and received assistance from a foundation, revealing how they were ostracized by their family and friends.”
If these discoveries lead to a thorough review of the infrastructure and other assessments, it could significantly aid UN Women—and the extensive network of UN entities as a whole—in identifying more easily rectifiable mistakes and mitigating the risk of potential data breaches.
