Thousands of confidential UN documents linked to gender equality push leaked online

News
By published

UN Women documents found on unprotected database could put workers and victims at risk

UN Flag
(Image credit: Shutterstock / Alexandros Michailidis)

A database believed to belong to the United Nations Trust Fund to End Violence against Women has been discovered unsecured online, containing financial reports, bank account information, staff details, victim testimonies and more.

The database, containing a total 228 GB of information, was discovered by cybersecurity researcher Jeremiah Fowler and reported to vpnMentor.

Victim and worker information exposed

While currently unconfirmed, the database contained information linked it to the UN Women and UN Trust Fund to End Violence against Women, including letters and documents addressed to the UN and stamped with UN logos, with specific reference to UN Women.

Amongst the information within the database, Fowler identified scanned passport documents and ID cards, alongside detailed information on staff roles including names, job roles, salary information and tax data.

“There were also documents labeled as “victim success stories” or testimonies,” Fowler wrote in his report for vpnMentor. “Some of these contained the names and email addresses of those helped by the programs, as well as details of their personal experiences. For instance, one of the letters purported to be from a Chibok schoolgirl who was one of the 276 individuals kidnapped by Boko Haram in 2014.”

A collection of documents and certificates from the UN Women database

A collection of documents and certificates from the UN Women database. (Image credit: vpnMentor / Jeremiah Fowler)

It is not known how long the database has been exposed for, whether the database is managed by the UN Women organization or a third party, or whether the database has been accessed by anyone outside of the organization.

Fowler explains several hypothetical situations in which the data could be misused, such as convincing spear phishing attacks against exposed email addresses using manipulated documents. Theoretically, a threat actor could also use the documents to gain a high-level understanding of the organization’s organizational and financial layout.

The UN Women organization has a scam alert posted on its website which is undated, but the page dates back to at least July 2022, with an update occurring in July 2024 adding a guide to using the Quantum procurement verification portal. Fowler alerted the UN Information Security team to the unprotected database, and received a response stating, “The reported vulnerability does not pertain to us (the United Nations Secretariat) and is for UN Women. Please report the vulnerability to UN WOMEN.”

More from TechRadar Pro

Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict has been with TechRadar Pro for over two years, and has specialized in writing about cybersecurity, threat intelligence, and B2B security solutions. His coverage explores the critical areas of national security, including state-sponsored threat actors, APT groups, critical infrastructure, and social engineering.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the Centre for Security and Intelligence Studies at the University of Buckingham, providing him with a strong academic foundation for his reporting on geopolitics, threat intelligence, and cyber-warfare.

Prior to his postgraduate studies, Benedict earned a BA in Politics with Journalism, providing him with the skills to translate complex political and security issues into comprehensible copy.