A massive data breach involving a non-password-protected, non-encrypted database has put at risk the sensitive information of thousands of individuals and civil society organizations. The exposed database contained over 115,000 files, amounting to 228 GB of data in formats like .PDF, .XML, .JPG, and .PNG, all of which were freely accessible due to a lack of proper security measures. The compromised documents ranged from financial audits and staff directories to highly confidential records marked as such.

Among the most alarming revelations were the extensive details of civil society organizations, including a list of 1,611 groups, complete with internal UN application numbers, eligibility status, application progress, organizational scope, and specifics regarding their missions. This information was stored in a single Excel (.XLS) file. The database also held scanned images of passports and ID cards, tax data, salary information, and job roles of staff members within various organizations.

The exposed database contained documents linked to the UN Women agency and the UN Trust Fund to End Violence against Women. Several files bore UN logos, while others included reference letters addressed to the United Nations. The sensitive information also extended to documents labeled as “victim success stories” or testimonies. These records often contained the names, email addresses, and personal experiences of those receiving assistance from these programs. For example, one letter appeared to be from a Chibok schoolgirl, one of the 276 individuals kidnapped by Boko Haram in 2014, revealing deeply personal information.

Experts warn that the exposure of this information could have serious implications. The database included details of individuals who received aid, some of whom may be survivors of violence or persecution. The unintended exposure could jeopardize the safety of these individuals and charity workers, particularly if hostile actors access these records.

A security researcher who discovered the UN Women Data Breach reported it immediately to the general UN InfoSec address and the UN Women agency. Public access to the exposed database was restricted the following day. However, the researcher received a somewhat concerning response from the UN Information Security team, which stated, “The reported vulnerability does not pertain to us (the United Nations Secretariat) and is for UN Women. Please report the vulnerability to UN WOMEN.” This statement leaves ambiguity around the ownership and control of the exposed database.

While records and file names indicate a strong association with the UN Women agency, it remains unclear if the database was directly managed by UN Women or a third-party contractor. It is also unknown how long the records remained accessible to the public or if other unauthorized parties accessed the data. Only a detailed internal forensic audit can uncover the full scope of the breach.

Cybersecurity experts highlight that such incidents underline the urgency of implementing strict security controls and regular audits within organizations managing sensitive data. Without protective measures like password restrictions and encryption, databases housing highly sensitive information can be a treasure trove for malicious actors, putting lives and missions at risk.

The exposed documents underscore the delicate nature of the work carried out by humanitarian organizations like UN Women and the pressing need for robust information security to protect the vulnerable communities they serve. Further investigation and transparency are expected in the coming days as the UN and its agencies grapple with the fallout of this incident.