#Privacy: United Nations kept cyber attack a secret

Last summer, dozens of United Nations (UN) servers were compromised to which officials at the world body kept it a secret from its employees. 

According to a confidential report about the UN leaked by The New Humanitarian (TNH), in mid-July last year dozens of servers were compromised including systems at its human rights offices and human resources department. In addition, some administrator accounts were also breached. 

It wasn’t until August 30, 2019, that IT officials working at the UN’s Geneva offices notified their tech teams about the incident stating: “We are working under the assumption that the entire domain is compromised. The attacker doesn’t show signs of activity so far, we assume they established their position and are dormant.”

According to the report, 42 servers were compromised and another 25 were deemed “suspicious.”

The impacted servers were located at the UN Office at Vienna; the UN Office at Geneva; and the UN Office of the High Commissioner for Human Rights (OHCHR) headquarters in Geneva. 

According to TNH, some 400GB of data is said to have been downloaded by hackers, to which internal documents, databases, emails, commercial information, and personal data may have been available to the hackers. It is not clear what other information was taken. 

The confidential report suggests that the UN Office at Geneva, which houses 1,600 staff, was the most seriously impacted office. 

The attack has caused controversy due to the UN keeping the incident a secret. Staff were told to reset their passwords but not told why. 

Stéphane Dujarric, UN spokesperson confirmed that it had kept the breach quiet, “As the exact nature and scope of the incident could not be determined, [the UN offices in Geneva and Vienna] decided not to publicly disclose the breach.”

Sean McDonald, a lawyer and specialist in the use of IT in international development told TNH: “You can’t be a global governance body and not be accountable for holding yourself to a professional standard.”

Linnet Taylor, associate professor at Tilburg Law School and researcher explained that it is normal in every sector to sweep bad news under the carpet, hence why there are laws enforced to prevent ths. 

Taylor added that the UN sits “outside the framework of laws developed around the world to deal with this problem, and [has] therefore not had to develop processes for transparency about breaches.”

‘Expecting any large and powerful organisation to self-regulate and behave perfectly ethically is not realistic.”


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.