Researchers Test UN's Cybersecurity, Find Personal Data On 100K Employees

chicksdaddy shares a report from The Security Ledger: Independent security researchers testing the security of the United Nations were able to compromise public-facing servers and a cloud-based GitHub development account used by the U.N. and lift data on more than 100,000 staff and employees, according to a report by The Security Ledger. Researchers affiliated with Sakura Samurai, a newly formed collective of independent security experts, exploited an exposed GitHub repository belonging to the International Labour Organization and the U.N.'s Environment Programme (UNEP) to obtain "multiple sets of database and application credentials" for UNEP applications, according to a blog post by one of the Sakura Samurai researchers, John Jackson, explaining the group's work.

Specifically, the group was able to obtain access to database backups for private UNEP projects that exposed a wealth of information on staff and operations. That includes a document with more than 1,000 U.N. employee names, emails; more than 100,000 employee travel records including destination, length of stay and employee ID numbers; more than 1,000 U.N. employee records and so on. The researchers stopped their search once they were able to obtain personally identifying information. However, they speculated that more data was likely accessible.

so now criminals are independent researchers?

[will_die]

They had no permission to access those computers in the manner they did. That is not independent security researchers that is criminal activity.

Re:

[polar red]

Please give us some information on HOW his win was "stolen". Mister Loser needs to go to prison.

Re:

[drinkypoo]

His win was stolen; the electoral college gave him the victory despite The People choosing his opponent.

His loss was totally legit; he lost both the EC and the popular vote.

I know that's not what his most athletic supporters mean, though

Re:

[drinkypoo]

They had no permission to access those computers in the manner they did. That is not independent security researchers that is criminal activity.

It is, but that doesn't make them not researchers. What would make them not researchers is if they abused that information. If they characterized and then deleted it, then they are researchers. If they sold it or even gave it away, they are not.

Re:

[Mickie Desman]

According to laws of which country? Problem is, most of UN presence in Internet is extraterritorial. This is very important for the UN to maintain its authority and not necessarily comply with local laws (e.g. UN agencies in Europe do not comply with GDPR). At the same time, the UN has no possibility to create laws and prosecution of its own, beyond administrative and HR rules. So the side effect of extraterritoriality is that there may be no law that you are breaking when attacking the UN, unless you are u

Slight clarification

[Dutch Gun]

and lift data on more than 100,000 staff and employees

It's a bit misleading to say information was gathered on 100,000 UN employees. The UN only has ~37,000 employees in total. It was 100,000 employee *travel records*. That's mentioned correctly later in the summary, but earlier they confuse the issue.

Not that it makes much difference, but the pedant in me likes to keep things correct.