A database believed to belong to the United Nations Trust Fund to End Violence Against Women has been discovered unsecured online and contains financial reports, bank account details, employee data, victims’ testimonies and more.
The database, which contains a total of 228 GB of information, was discovered by cybersecurity researcher Jeremiah Fowler and reported to vpnMentor.
It lacked any password protection, with the 115,141 files appearing unencrypted and accessible to anyone with an internet connection.
Victim and employee information exposed
Although not currently confirmed, the database contained information relating to UN Women and the UN Trust Fund to End Violence against Women, including letters and documents addressed to the UN and bearing UN logos, with specific reference to UN Women .
Among the information in the database, Fowler identified scanned passport documents and identity cards, in addition to detailed information about staff roles, including names, positions, salary information and tax details.
“There were also documents labeled as ‘victim success stories’ or testimonials,” Fowler wrote in his report vpnMentor. “Some of these include the names and email addresses of those helped by the programmes, as well as details of their personal experiences. For example, one of the letters allegedly came from a schoolgirl from Chibok, one of the 276 people kidnapped by Boko Haram in 2014.”
It is not known how long the database has been made public, whether the database is maintained by the UN Women organization or a third party, and whether the database has been accessed by someone outside the organization.
Fowler explains several hypothetical situations where the data could be misused, such as convincing spearphishing attacks on exposed email addresses using doctored documents. Theoretically, a threat actor could also use the documents to gain a deep understanding of the organization’s organizational and financial setup.
The UN Women organization posted a scam alert on its website that is undated, but the page dates back to at least July 2022, with an update in July 2024 with a guide to using the Quantum purchasing verification portal. Fowler alerted the UN information security team to the unprotected database and received a response stating: “The reported vulnerability does not concern us (the United Nations Secretariat) and is for UN Women. Please report the vulnerability to UN WOMEN.”