A database containing sensitive and personal information from the United Nations Trust Fund to End Violence Against Women was recently discovered to be openly accessible on the internet. The database, which contained over 115,000 files related to organizations partnering with or receiving funding from UN Women, was not password protected or access controlled. Security researcher Jeremiah Fowler discovered the database and alerted the UN, which promptly secured it. While incidents like this are not uncommon, Fowler stresses the importance of raising awareness about the threat of such misconfigurations. The UN Women database is a prime example of a small error that could have serious consequences for vulnerable communities, including women, children, and LGBTQ individuals living in hostile situations worldwide.
A spokesperson for UN Women stated that the organization is grateful for collaboration with cybersecurity researchers and is taking steps to prevent similar incidents in the future. The exposed data could potentially expose individuals in multiple ways, including through financial audits that reveal bank account information and detailed breakdowns of funding and budgeting. The information also includes employee details that could be used to map connections between civil society groups in a country or region. Additionally, the data could be used for scams, as the UN is a trusted organization and the exposed information could be used to create legitimate-looking communications. This incident serves as a reminder of the critical importance of cybersecurity, even for organizations doing important work on the ground.