United Nations data breach exposed over 100k UNEP staff records


Level 69
Content Creator
Malware Hunter
Aug 17, 2014
Today, researchers have responsibly disclosed a security vulnerability by exploiting which they could access over 100,000 private employee records of United Nations Environmental Programme (UNEP).
The data breach stemmed from exposed Git directories and credentials, which allowed the researchers to clone Git repositories and gather a large amount of personally identifiable information (PII) associated with over 100k employees.
Ethical hacking and security research group Sakura Samurai have now disclosed their findings on a vulnerability that let them access the private data of over 100,000 United Nations Environment Programme (UNEP) employees.
The documents and screenshots shared with BleepingComputer provide extensive details on the nature of this security flaw and all that it exposed.
Having come across the United Nation's Vulnerability Disclosure Program and InfoSec Hall of Fame, researchers Jackson Henry, Nick Sahler, John Jackson, and Aubrey Cottle of Sakura Samurai set out to hunt for any security flaws impacting UN systems. [...]
In an email interview with BleepingComputer, the group said:
"When we started researching the UN, we didn't think it would escalate so quickly. Within hours, we already had sensitive data and had identified vulnerabilities. Overall, in less than 24 full hours we obtained all of this data," Sakura Samurai told BleepingComputer.
"In total, we found 7 additional credential-pairs which could have resulted in unauthorized access of multiple databases. We decided to stop and report this vulnerability once we were able to access PII that was exposed via Database backups that were in the private projects," state the researchers in their blog post.


Level 3
Jul 25, 2020
Listen, if you have any online accounts or valuable personal data out there, then you have to assume it has or will fall into malicious hands. You have to take security measures outside of the world of IT that thwart the criminals. The security of your local host is the least of your concerns.

Not all nations provide robust methods to protect assets, but the easiest and most common sense one is to create a checking account for internet purchases and then fund it only with the amount necessary at the time of purchase.

Gift or online cards are useless. If they get the infos, they'll wipe everything from your card. So to counter that, you can fund those only with what is needed to make an online purchase. Then you have the issue of identity theft. A lot of the counter-measures for that are nation specific.