A database believed to belong to the United Nations Trust Fund to End Violence Against Women was uncovered unsecured online, containing financial records, bank accounts, staff details, victim testimonies, and other information.
Jeremiah Fowler, a cybersecurity researcher, uncovered the database, which contained 228 GB of information, and reported it to vpnMentor. It lacked password protection, leaving the 115,141 files displayed unencrypted and accessible to anyone with an internet connection.
While not confirmed, the database contained data that linked it to UN Women and the UN Trust Fund to End Violence Against Women, such as letters and documents addressed to the UN and stamped with UN insignia, with a specific reference to UN Women.
Fowler discovered scanned passport documents and ID cards in the database, as well as specific details on staff roles such as names, job titles, salary information, and tax data.
“There were also documents labelled as “victim success stories” or testimonies,” Fowler wrote in his report. “Some of these contained the names and email addresses of those helped by the programs, as well as details of their personal experiences. For instance, one of the letters purported to be from a Chibok schoolgirl who was one of the 276 individuals kidnapped by Boko Haram in 2014.”
It is unclear how long the database has been exposed, whether it is managed by the UN Women organisation or a third party, and whether anyone outside of the organisation has accessed it.
Fowler outlines a number of hypothetical possibilities in which the data might be exploited, including convincing spear phishing attempts that employ customised documents to target vulnerable email accounts. The records might theoretically also be used by a threat actor to obtain a high-level grasp of the organisational and the financial framework of the company.
The UN Women organisation has an undated scam notice on its website, although the page dates back at least to July 2022, with an update in July 2024 that includes an instruction to use the Quantum procurement verification portal.
Fowler notified the UN Information Security team about the unprotected database, and received a response that stated, "The identified vulnerability does not belong to us (the United Nations Secretariat) and is for UN Women. Please report the vulnerability to UN Women.”