A serious data breach has exposed a vast database containing highly confidential information, affecting thousands of individuals and civil society organizations. The compromised database, which was neither password-protected nor encrypted, held 115,141 files amounting to 228 GB of data, all accessible to the public. The leaked documents included financial records, staff directories, personal identification documents, and detailed reports.
Contained within the database was an Excel (.XLS) file listing 1,611 civil society organizations, complete with their internal United Nations (UN) application numbers, eligibility statuses, and application progress. These entries also detailed whether the organizations were local or national, along with comprehensive descriptions of their missions. Additionally, the exposed records revealed scanned copies of passports and identification cards, tax and salary information, and job roles of staff members.
The database also contained documents labeled as “victim success stories” or testimonies, many of which detailed the names, email addresses, and personal accounts of individuals helped by these programs. One letter appeared to be from a Chibok schoolgirl, one of the 276 individuals kidnapped by Boko Haram in 2014, sharing deeply personal details. This exposure raises serious concerns about the privacy and security of both charity workers and the victims or aid recipients featured in these reports.
The leaked records suggested a connection to UN Women and the UN Trust Fund to End Violence against Women. Many files featured UN logos or were addressed directly to the organization. Based on file names and document content, there were numerous indications pointing to the UN Women agency, but it remains unclear whether UN Women managed the database directly or if it was handled by a third-party contractor.
After discovering the exposed database, the researcher immediately sent a responsible disclosure notice to the general UN Information Security (InfoSec) address and directly to UN Women. Access to the database was subsequently restricted the following day. However, the researcher received a response from the UN Information Security team clarifying that “the reported vulnerability does not pertain to us (the United Nations Secretariat) and is for UN Women. Please report the vulnerability to UN WOMEN.”
The timeline of the exposure remains uncertain, as does the extent to which other unauthorized parties might have accessed the database. Only a comprehensive internal forensic audit can determine how long the information was publicly accessible and who else, if anyone, might have obtained the data.
Cybersecurity professionals emphasize the risks posed by this type of data exposure, especially when dealing with organizations supporting vulnerable individuals and communities. They note that the absence of even basic security measures such as password protection and data encryption can leave sensitive information dangerously exposed, potentially threatening lives and endangering missions.
The UN Women data breach serves as a stark reminder of the critical need for strict data protection protocols within humanitarian organizations. It is expected that UN Women and other relevant parties will conduct further investigations to assess the extent of the breach and reinforce their data security measures going forward.