A cybersecurity researcher discovered a massive data leak exposing over 115,000 sensitive documents associated with the UN Trust Fund to End Violence against Women. The leaked data includes personal information, financial records, and victim testimonies, posing a serious risk to privacy and security.
Cybersecurity researcher Jeremiah Fowler discovered a misconfigured database affecting the United Nations (UN) Trust Fund to End Violence against Women. According to Fowler’s investigation, reported shared with Hackread.com, the exposed database was unsecured and unprotected by a password or any other security authentication, making it easily accessible to anyone with an internet connection.
The database contained over 115,000 records and 228 GB of sensitive data, including financial reports, staff documents, email addresses, contracts, and personal information of victims and charity workers in PDF, .XML, .JPG, and PNG formats.
The leaked documents revealed a wide range of confidential information, such as:
- Staff information: Names, tax data, salary information, and job roles
- Victim information: Names, email addresses, and personal experiences
- Financial details: Bank account information, audits, and financial reports
- Organizational docs: Contracts, certifications, and registration documents
The records indicated a connection with UN Women and the UN Trust Fund to End Violence against Women, with reference letters, UN logos, and file names indicating their association.
“Although the records indicated the files belonged to the UN Women agency, it is not known if they owned and managed the non-password-protected database or if it was under the control of a third-party contractor.”
Jeremiah Fowler
This breach poses a serious risk to the privacy and safety of those involved in the organization’s efforts to combat gender-based violence. The exposed data could potentially be used by malicious actors to target individuals and organizations associated with the UN Trust Fund.
For example, criminals can launch phishing attacks, identity theft, or blackmail attempts. The information exposed could be used for various malicious purposes, including identity theft, fraud, targeted phishing attacks, blackmail, extortion of funds from the UN Trust Fund, and harassment.
Victims, charity workers, and UN staff could be targeted to steal their identities, commit fraud, blackmail, or extort money from the UN Trust Fund. The breach also poses a security risk to vulnerable populations, which the UN Trust Fund is working to protect, as the exposure of personal information could lead to further harm or exploitation.
Moreover, exposed internal documents “could potentially provide criminals with insights into how the organizations operate, their key management, financial structures, and other details that may not have been intended to be public,” Fowler noted.
It is unclear who was managing the database, how it was left unprotected, and for how long it remained exposed. The good news is that UN Women secured the database after receiving a responsible disclosure notice from Fowler. The organization has also issued a scam alert and is working to mitigate the risks associated with the data exposure and to ensure that similar incidents do not occur in the future.
Nevertheless, this incident highlights the importance of strong cybersecurity measures to protect sensitive data, especially in the context of humanitarian organizations working in vulnerable regions.
RELATED TOPICS
- Facial DNA provider leaks biometric data via WordPress folder
- 3TB of clips from exposed home security cameras posted online
- “BreedReady” database of 1.8m Chinese women surfaced online
- Gender Diversity in Cybercrime Forums: Women Users on the Rise
- iCloud phishing scam – Man stole private photos of 620,000 women