Security Bug Exposed 100K UN Employee Records

UNEP Employees’ Sensitive Data Exposed in Online Data Repository

A security vulnerability exposed sensitive employment and travel records of United Nations Environmental Programme (UNEP) employees. The data was downloaded through a Git repository.

The UNEP security vulnerability was exposed by cyber security researchers at Sakura Samurai 桜の侍.

“Ultimately, once we discovered the GitHub credentials, we were able to download a lot of private password-protected GitHub projects and within the projects we found multiple sets of database and application credentials for the UNEP production environment,” says the report.

• READ Malware Attack Impersonates US Health and Human Services

Ethical hackers at Sakura Samurai were able to access employee records of 100,000 UN employees.

Exposed data includes:

• Employee ID
• Name
• Employee Groups
• Destination
• Travel Justification
• Start and End Dates
• Approval Status
• Duration of travel

The researchers accessed other United Nations datasets as well.

• READ: DHS and UK Cyber Security Issue Joint Alert on Storm of COVID-19 Themed Cyberattacks

Exposed employee records include:

• Employee Name
• Employee Group
• Employee ID Numbers
• Nationality
• Gender
• Pay Grade
• Organization
• Work Unit Identification Number
• Organization Unit Text Tags

“The credentials gave us the ability to download the Git Repositories, identifying a ton of user credentials and PII. In total, we identified over 100K+ private employee records. We also discovered multiple exposed .git directories on UN owned web servers [ilo.org], the .git contents could then be exfiltrated with various tools such as “git-dumper”

The access has been closed. Saiful Ridwan, Chief of Enterprise Solutions at UNEP Reported to Bleeping Computer that the security vulnerability had been patched and that data breach notifications we’re being issued.