Skip to main content

UN 'covered up' serious data breach affecting thousands of workers

(Image credit: Shutterstock.com / Alexandros Michailidis)

The United Nations fell victim to a massive cyberattack in July, but informed neither the public nor the employees affected. It is believed the attack was state-sponsored, but the identity of the hackers is unknown.

The incident, which came to light after a confidential document was leaked to The New Humanitarian, could have affected the data of up to 4,000 UN employees. Staff records, health insurance and commercial contract data were compromised in the breach.

Hackers gained access via a flaw in Microsoft SharePoint and used sophisticated malware to scrape dozens of UN servers across three of its European offices. It is thought the incident could have been avoided with a simple software patch.

The attack is among the largest ever encountered by the intergovernmental organisation.

Cover-up

Under diplomatic immunity, the UN does not have to report what information the hackers gained access to, nor notify the affected staff. When the breach was discovered in September, employees were advised to change their passwords but not informed of the reason.

“The attack resulted in a compromise of core infrastructure components,” said UN spokesperson Stéphane Dujarric. “As the exact nature and scope of the incident could not be determined, [the UN] decided not to publicly disclose the breach.”

Asked whether the vulnerability has yet been rectified, Dujarric said “multiple workshops and assessments have been conducted to verify that the exploited vulnerabilities have been mitigated.”

The damage to trust in the international institution may take longer to repair.

Via The New Humanitarian