Incident Of The Week: Leak Discloses UN Data Breach From 2019

Organization’s Integrity Questioned Due To Lack Of Transparency

Add bookmark
Kayla Matthews
Kayla Matthews
02/07/2020

United Nations Attack

Hackers broke into dozens of United Nations (UN) servers in July of last year, and UN officials kept quiet about it.

No one is safe from cyber threats, not even the United Nations. Stories of new data breaches seem to pop up so often that they can become background noise, but this is not why no one heard of the 2019 UN hack. The entity did not notify the press, law enforcement or even all of its staff.

In a recent story, The New Humanitarian revealed it had come across a confidential UN report detailing the incident. The news organization was researching cyber security when they found the document and said that no one they talked to knew anything about it.

The attacks targeted three UN offices, two in Geneva and one in Vienna, that have a total of around 4,000 staff members. The UN Office at Geneva received the most damage, with 33 of its servers compromised. The hackers also got into at least seven servers between the other two locations.

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

How Hackers Infiltrated the UN

The hackers were able to exploit a bug in Microsoft SharePoint to steal an estimated 400 GB of data. Microsoft had released a patch for this vulnerability in March of 2019, but the offices' IT staff did not update the software in time. Their software was still vulnerable by July when hackers used it to break into a server in the Vienna office, gaining access to the rest of the system.

See Related: Incident Of The Week: Misconfigured Servers Result In 250 Million Microsoft Customer Support Records Exposed

The affected servers held a variety of information, such as employees' personal data. While the full extent of the breach is unclear, the stolen data includes directories that could list staff records, health insurance systems and other resources. Officials did not tell the potentially affected staff about the breach but did ask them to change their passwords.

The targeted offices work in a variety of political actions, including Syria peace talks, but the UN said that the hackers did not access any sensitive data. But the nature of the attack raises questions of whether this was an act of political espionage.

If hackers were able to infiltrate the United Nations, then cybercrime is a threat to even the largest of companies. The IT staff at these offices put the SharePoint update off for just a few months, but this window was large enough for the hackers to exploit the bug. It's impossible to say for sure, but updating as soon as possible might have prevented the breach.

Businesses looking to avoid similar threats could benefit from frequent updates. Companies should continually reassess their cyber security measures, given the relevance and risk of cybercrime. This incident shows that data breaches can affect not just business documents but employees' personal information.

See Related: A Week In The Life Of A CISO: Rizwan Jan, VP & CIO, Henry M. Jackson Foundation

Why Officials Didn't Notify Anyone

Laws would require most organizations to disclose a breach of this size, but this doesn't apply to the UN. The UN benefits from diplomatic immunity, which means they are exempt from specific national laws, such as the European Union's General Data Protection Regulation (GDPR). The GDPR requires organizations to be transparent about data breaches, but as seen in this incident, the UN is immune.

In response to TNH, UN spokesperson Stéphane Dujarric said the offices decided not to disclose the breach because they couldn't determine its exact nature or scope. Still, the apparent cover-up has some people questioning the integrity of the organization. The UN themselves have issued statements regarding the importance of transparency in the digital age.

This incident isn't the first time the UN has kept quiet about cyber-attacks. The International Civil Aviation Organization, a branch of the UN, suffered a massive data breach in 2016 that was also undisclosed.

Growing Cyber Security Concerns

This attack on the UN represents growing concerns for all businesses. Hackers are becoming more sophisticated and acting on vulnerabilities quickly, so cyber security should be robust and updated continuously. The backlash against the UN's secrecy also emphasizes the importance of transparency.

While the extent of this most recent attack's damage remains unknown, it would appear that the UN has things back under control. The UN has not broken any laws in remaining silent, though some may be troubled by the behavior. Even without the threat of legal repercussions, it may have been best for the organization to disclose the incident, at least to those potentially affected by it.

See Related: Cyber Security Hub Incident Of The Week Vault