Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

Researchers Test UN's Cybersecurity, Find Personal Data On 100K Employees (securityledger.com) 9

chicksdaddy shares a report from The Security Ledger: Independent security researchers testing the security of the United Nations were able to compromise public-facing servers and a cloud-based GitHub development account used by the U.N. and lift data on more than 100,000 staff and employees, according to a report by The Security Ledger. Researchers affiliated with Sakura Samurai, a newly formed collective of independent security experts, exploited an exposed GitHub repository belonging to the International Labour Organization and the U.N.'s Environment Programme (UNEP) to obtain "multiple sets of database and application credentials" for UNEP applications, according to a blog post by one of the Sakura Samurai researchers, John Jackson, explaining the group's work.

Specifically, the group was able to obtain access to database backups for private UNEP projects that exposed a wealth of information on staff and operations. That includes a document with more than 1,000 U.N. employee names, emails; more than 100,000 employee travel records including destination, length of stay and employee ID numbers; more than 1,000 U.N. employee records and so on. The researchers stopped their search once they were able to obtain personally identifying information. However, they speculated that more data was likely accessible.

This discussion has been archived. No new comments can be posted.

Researchers Test UN's Cybersecurity, Find Personal Data On 100K Employees

Comments Filter:
  • They had no permission to access those computers in the manner they did. That is not independent security researchers that is criminal activity.
    • They had no permission to access those computers in the manner they did. That is not independent security researchers that is criminal activity.

      It is, but that doesn't make them not researchers. What would make them not researchers is if they abused that information. If they characterized and then deleted it, then they are researchers. If they sold it or even gave it away, they are not.

    • According to laws of which country? Problem is, most of UN presence in Internet is extraterritorial. This is very important for the UN to maintain its authority and not necessarily comply with local laws (e.g. UN agencies in Europe do not comply with GDPR). At the same time, the UN has no possibility to create laws and prosecution of its own, beyond administrative and HR rules. So the side effect of extraterritoriality is that there may be no law that you are breaking when attacking the UN, unless you are u
  • by Dutch Gun ( 899105 ) on Tuesday January 12, 2021 @09:48AM (#60932550)

    and lift data on more than 100,000 staff and employees

    It's a bit misleading to say information was gathered on 100,000 UN employees. The UN only has ~37,000 employees in total. It was 100,000 employee *travel records*. That's mentioned correctly later in the summary, but earlier they confuse the issue.

    Not that it makes much difference, but the pedant in me likes to keep things correct.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...