The United Nations has suffered a data breach that exposed the details of more than 100,000 U.N. Environmental Program employees, but in a twist, the breach was uncovered by ethical hackers.

The discovery was made and revealed today by ethical hacking and security research group Sakura Samurai, which probed various U.N. databases after discovering that the intergovernmental organization had a vulnerability disclosure program.

The data breach involved exposed Git directories and Git credential files on domains associated with the UNEP and the U.N.’s International Labor Organization. Using these exposed details, Sakura Samurai’s ethical hackers dumped the contents of the Git files and cloned repositories using git-dumper, a tool used to dump a git repository from a website.

The dumped files included information about U.N. staff travel such as employee ID, names, employee groups, travel justification, start and end dates, approval status, destination and length of stay. Sakura Samurai also managed to obtain human resources data that included personally identifiable information as well as project funding resource records, generalized employee records and employment evaluation reports.

The whole point of having a vulnerability disclosure program is that vulnerabilities are exposed and dealt with, but in this regard, the U.N. utterly failed. According to Bleeping Computer, Sakura Samurai reported the vulnerability to the U.N. Jan. 4 and was met was a response that the issue did not pertain to the U.N. Secretariat or the U.N. ILO.

Eventually, the U.N. did actually pick up the fact that they were leaking data with Saiful Ridwan, chief of enterprise solutions at UNEP, eventually thanking Sakura Samurai for letting them know. In what could generously be described as a clown show, the UNEP told Bleeping Computer that dealing with the data breach disclosure was “challenging as we have not done this before.”

It’s not known with any certainty whether the data had been accessed by bad actors, but Sakura Samuari noted that it’s highly likely that the data had been accessed and stolen before it was discovered.

“Ethical Hacking group Sakura Samurai’s exposure of the United Nations Environment Program’s git repositories is another classic example of the consequences of an unintentional misconfiguration,” Saryu Nayyar, chief executive officer of unified security and risk analytics company Gurucul Solutions Pvt Ltd. A.G., told SiliconANGLE. “Fortunately, the U.N.’s IT team reacted quickly to close the hole, but it is likely that threat actors had already discovered the vulnerable data and acquired it themselves.”

Nayyar said that shows that even multinationals with mature cybersecurity practices are not immune to this kind of misconfiguration. “It points out the need for regular configuration reviews along with a full security stack that includes security analytics to identify and remediate these vulnerabilities before threat actors can discover them,” she added.

Chloé Messdaghi, chief strategist at cybersecurity intelligence firm Point3 Security Inc., noted that the process the researchers faced could have been a bit more transparent. “When a researcher reports something, the organization’s contact person needs to know who to direct the information to in order to immediately get the ball rolling – otherwise it slows down the process,” she said. “An automated ticketing process isn’t appropriate for vulnerability disclosure input.”

Photo: John Samuel/Wikimedia Commons