UK Authorities: A Stiff Upper Lip
February 18, 2020
They were not going to tell anyone what had happened. A confidential report reveals the United Nations fell victim to a massive data breach last year, we learn from The New Humanitarian’s report, “Exclusive: The Cyber Attack the UN Tried to Keep Under Wraps.” Why the organization felt justified keeping this information secret even from those it affected is a mystery, but the cover up does emphasize the power of diplomatic immunity. TNH senior editor Ben Parker describes what his team learned about the extent of the damage:
“Although it is unclear what documents and data the hackers obtained in the 2019 incident, the report seen by TNH implies that internal documents, databases, emails, commercial information, and personal data may have been available to the intruders – sensitive data that could have far-reaching repercussions for staff, individuals, and organizations communicating with and doing business with the UN. The compromised servers included 33 in the UN Office at Geneva, three at OHCHR in Geneva, and at least four in the Vienna office. According to the report, the breach also grabbed ‘active directories’, with each likely to list hundreds of users as well as human resources and health insurance systems, other databases, and network resources. The three affected offices have in total about 4,000 staff. The report, prepared by the UN Office at Geneva in the midst of containment efforts, suggests the cyber attack most seriously affected their office, which houses 1,600 staff working in a range of political and development units, including Syria peace talks, the humanitarian coordination office (OCHA), and the Economic Commission for Europe.”
The scope of the UN’s operations makes such a breach particularly troubling, but it is not entirely unexpected. An audit in 2012 identified an “unacceptable level of risk” in the organization’s cybersecurity. Despite taking measures to address the concerns, a 2018 review found its security-assessment project to be severely lacking.
News of the breach is sure to concern anyone in sensitive regions working with the United Nations, particularly on human rights issues. In many countries, those who share information with the UN’s human rights office can be subject to surveillance, imprisonment, and even torture. Though it is not known who was behind the attack, it is said to look like the work of a “sophisticated threat actor”—a good description of nation states’ hacking programs. Failing to prevent the breach is bad enough. Refusing to notify everyone who might have been affected, notes Parker, is a dangerous breach of trust.
Cynthia Murrell, February 18, 2020