Many of the national leaders gathering in New York this week for the United Nations General Assembly certainly can sympathize with the UN officials who are dealing with a data breach.
Cybersecurity researcher Kushagra Pathak tweeted yesterday that in August he had uncovered a myriad of information that should have been locked, but was accessible online, adding that even after he notified the UN of his find, the organization was slow to respond.
“In August, I found 60 Trello boards, a public Jira and bunch of Google Docs of UN which were containing credentials to multiple FTP servers, social media & email account, lots of internal comm. and documents,” he tweeted.
Pathak said he promptly informed the UN of his discovery on August 20, but did not hear back for two weeks, at which time he was told they would review the data. Then on Sept. 12 the UN said it could not replicate the issues and asked Pathak for more information. That same day the UN was contacted by The Intercept, and by the next day began to lock down or remove the exposed data, Pathak has claimed.
Trello boards are used for internal and external communications by the UN, a spokesperson told The Intercept, and are used by many organizations to manage and plan projects. Pathak said many of these boards are used to host a variety of what should be private information.
“Information like unfixed bugs and security vulnerabilities, the credentials of their social media accounts, email accounts, server, admin dashboards is available on their public Trello Boards which are being indexed by all the search engines and anyone can easily find them,” he tweeted.
Most of the exposed Trello boards were found through Google dorking, or Google search, Pathak noted.
High-Tech Bridge’s CEO Ilia Kolochenko was somewhat forgiving of the UN, stating that it, like many large organizations, struggles with budgetary issues and cannot place a high priority on cybersecurity. “Moreover, similar security problems can be pretty easily discovered in the websites of many wealthy organizations and companies, who would not necessarily react faster or better to a vulnerability report. Therefore, without justifying negligence and carelessness in cybersecurity, I would nonetheless refrain from blaming the UN agency. Many large companies had incomparably higher resources at their disposal but still did not prevent tremendous data breaches in the past affecting billions of people,” he told SC Media.