The cyber attack the UN tried to keep under wraps

Posted on by Dissent

The New Humanitarian reports:

While researching cybersecurity last November, we came across a confidential report about the UN. Networks and databases had been severely compromised – and almost no one we spoke to had heard about it. This article about that attack adds to The New Humanitarian’s previous coverage on humanitarian data. We look at how the UN got hacked and how it handled this breach, raising questions about the UN’s responsibilities in data protection and its diplomatic privileges.

Read Ben Parker’s report on TNH. Here are their key findings from their report:

  • Hackers broke into dozens of UN servers starting in July 2019.
  • A senior UN IT official called the incident a “major meltdown”.
  • Staff records, health insurance, and commercial contract data were compromised.
  • Staff were asked to change their passwords but not told about the breach.
  • Under diplomatic immunity, the UN is not obliged to divulge what was obtained by the hackers or notify those affected.
  • The attack might have been avoided with a simple patch to fix a software bug.
  • Systems in Geneva and Vienna used by thousands of staff were compromised.
  • A UN spokesperson says the attack triggered a rebuild of multiple systems.
  • UN officials warned of major vulnerabilities years ago.

Commenting on Twitter on this story, Chris Vickery of UpGuard tweeted:

In Sept. 2017 I received a phone call from a high level individual within AWS Security during which I was criticized for reporting an exposed UN database to law enforcement instead of just letting the private company work it out.

Chris added:

“When “globaladmin” credentials and password hashes for any United Nations organization are exposed to the public internet, it’s completely reasonable to escalate notification and speed up the prompting of mitigation efforts.”

 

Category: Commentaries and AnalysesMiscellaneous