Incident Of The Week: Leak Discloses UN Data Breach From 2019
Organization’s Integrity Questioned Due To Lack Of Transparency
Hackers broke into dozens of United Nations (UN) servers in July of last year, and UN officials kept quiet about it.
No one is safe from cyber threats, not even the United Nations. Stories of new data breaches seem to pop up so often that they can become background noise, but this isn't why no one heard of the 2019 UN hack. The entity didn't notify the press, law enforcement or even all of its staff.
In a recent story, The New Humanitarian revealed it had come across a confidential UN report detailing the incident. The news organization was researching cyber security when they found the document and said that no one they talked to knew anything about it.
The attacks targeted three UN offices, two in Geneva and one in Vienna, that have a total of around 4,000 staff members. The UN Office at Geneva received the most damage, with 33 of its servers compromised. The hackers also got into at least seven servers between the other two locations.
How Hackers Infiltrated the UN
The hackers were able to exploit a bug in Microsoft SharePoint to steal an estimated 400 GB of data. Microsoft had released a patch for this vulnerability in March of 2019, but the offices' IT staff didn't update the software in time. Their software was still vulnerable by July when hackers used it to break into a server in the Vienna office, gaining access to the rest of the system.
The affected servers held a variety of information, such as employees' personal data. While the full extent of the breach is unclear, the stolen data includes directories that could list staff records, health insurance systems and other resources. Officials didn't tell the potentially affected staff about the breach but did ask them to change their passwords.
The targeted offices work in a variety of political actions, including Syria peace talks, but the UN said that the hackers didn't access any sensitive data. But the nature of the attack raises questions of whether this was an act of political espionage.
If hackers were able to infiltrate the United Nations, then cybercrime is a threat to even the largest of companies. The IT staff at these offices put the SharePoint update off for just a few months, but this window was large enough for the hackers to exploit the bug. It's impossible to say for sure, but updating as soon as possible might have prevented the breach.
Businesses looking to avoid similar threats could benefit from frequent updates. Companies should continually reassess their cyber security measures, given the relevance and risk of cybercrime. This incident shows that data breaches can affect not just business documents but employees' personal information.
Why Officials Didn't Notify Anyone
Laws would require most organizations to disclose a breach of this size, but this doesn't apply to the UN. The UN benefits from diplomatic immunity, which means they are exempt from specific national laws, such as the European Union's General Data Protection Regulation (GDPR). The GDPR requires organizations to be transparent about data breaches, but as seen in this incident, the UN is immune.
In response to TNH, UN spokesperson Stéphane Dujarric said the offices decided not to disclose the breach because they couldn't determine its exact nature or scope. Still, the apparent cover-up has some people questioning the integrity of the organization. The UN themselves have issued statements regarding the importance of transparency in the digital age.
This incident isn't the first time the UN has kept quiet about cyber-attacks. The International Civil Aviation Organization, a branch of the UN, suffered a massive data breach in 2016 that was also undisclosed.
Growing Cyber Security Concerns
This attack on the UN represents growing concerns for all businesses. Hackers are becoming more sophisticated and acting on vulnerabilities quickly, so cyber security should be robust and updated continuously. The backlash against the UN's secrecy also emphasizes the importance of transparency.
While the extent of this most recent attack's damage remains unknown, it would appear that the UN has things back under control. The UN has not broken any laws in remaining silent, though some may be troubled by the behavior. Even without the threat of legal repercussions, it may have been best for the organization to disclose the incident, at least to those potentially affected by it.
See Related: Cyber Security Hub Incident Of The Week Vault