Thousands of confidential UN documents linked to gender equality push leaked online

News
By published

UN Women documents found on unprotected database could put workers and victims at risk

UN Flag
(Image credit: Shutterstock / Alexandros Michailidis)

A database believed to belong to the United Nations Trust Fund to End Violence against Women has been discovered unsecured online, containing financial reports, bank account information, staff details, victim testimonies and more.

The database, containing a total 228 GB of information, was discovered by cybersecurity researcher Jeremiah Fowler and reported to vpnMentor.

Article continues below

Victim and worker information exposed

While currently unconfirmed, the database contained information linked it to the UN Women and UN Trust Fund to End Violence against Women, including letters and documents addressed to the UN and stamped with UN logos, with specific reference to UN Women.

Amongst the information within the database, Fowler identified scanned passport documents and ID cards, alongside detailed information on staff roles including names, job roles, salary information and tax data.

“There were also documents labeled as “victim success stories” or testimonies,” Fowler wrote in his report for vpnMentor. “Some of these contained the names and email addresses of those helped by the programs, as well as details of their personal experiences. For instance, one of the letters purported to be from a Chibok schoolgirl who was one of the 276 individuals kidnapped by Boko Haram in 2014.”

A collection of documents and certificates from the UN Women database

A collection of documents and certificates from the UN Women database. (Image credit: vpnMentor / Jeremiah Fowler)

It is not known how long the database has been exposed for, whether the database is managed by the UN Women organization or a third party, or whether the database has been accessed by anyone outside of the organization.

Fowler explains several hypothetical situations in which the data could be misused, such as convincing spear phishing attacks against exposed email addresses using manipulated documents. Theoretically, a threat actor could also use the documents to gain a high-level understanding of the organization’s organizational and financial layout.

The UN Women organization has a scam alert posted on its website which is undated, but the page dates back to at least July 2022, with an update occurring in July 2024 adding a guide to using the Quantum procurement verification portal. Fowler alerted the UN Information Security team to the unprotected database, and received a response stating, “The reported vulnerability does not pertain to us (the United Nations Secretariat) and is for UN Women. Please report the vulnerability to UN WOMEN.”

More from TechRadar Pro

Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict is a Senior Security Writer at TechRadar Pro, where he has specialized in covering the intersection of geopolitics, cyber-warfare, and business security.

Benedict provides detailed analysis on state-sponsored threat actors, APT groups, and the protection of critical national infrastructure, with his reporting bridging the gap between technical threat intelligence and B2B security strategy.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the University of Buckingham Centre for Security and Intelligence Studies (BUCSIS), with his specialization providing him with a robust academic framework for deconstructing complex international conflicts and intelligence operations, and the ability to translate intricate security data into actionable insights.