The systems of the United Nations Environmental Program (UNEP) were found to have contained a vulnerability that could have exposed 100,000 personal data records, Bleeping Computer has reported.
Ethical hackers from Sakura Samurai set out to analyze the strength of the UN's network and managed to obtain the data in less than 24 hours. By abusing exposed Git directories and credentials, the researchers successfully cloned Git repositories, successfully gathering plenty of data.
The data included information about UN staff travel: employee IDs, names, employee groups, travel justification, start and end dates, approval status, destination, and the length of stay.
The researchers also obtained HR demographic data - including nationality, gender, and pay grade - on thousands of employees. They also found project funding source records, generalized employee records and employment evaluation reports.
When the findings were initially reported to to the UN Office of Information and Communications Technology (OICT), the recipients failed to understand that the vulnerability lay with UNEP and discarded the information.
Saiful Ridwan, UNEP Chief of Enterprise Solutions, has since acknowledged the threat and said the team took “immediate steps” to remedy the problem. A disclosure notice, which is mandatory in cases like this, is still in the works.
The flaw was remedied in less than a week, but whether or not someone accessed the database remains to be seen. Given how easy it was to obtain, some experts believe it highly likely the data has been accessed by unauthorized actors.