How definitely not to handle a hack.
The United Nations' IT systems were penetrated by hackers 6 months ago, but the UN didn't bother to tell the public or even its own staff about the July 2019 hack — despite staff records having been compromised, reports Ben Parker at The New Humanitarian.
What's worse, the whole thing could have been prevented with a simple software patch.
One senior UN IT official called the matter a “major meltdown,” and TNH reports that staff records, health insurance, and commercial contract data were all compromised in the breach.
Excerpt from TNH:
On 30 August 2019, IT officials working at the UN’s Geneva offices issued an alert to their tech teams about a hacking incident:
'We are working under the assumption that the entire domain is compromised. The attacker doesn't show signs of activity so far, we assume they established their position and are dormant.'
The complex cyber attack on UN networks in Geneva and Vienna had started more than a month earlier but was only just being fully uncovered. Dozens of UN servers – including systems at its human rights offices, as well as its human resources department – were compromised and some administrator accounts breached, according to a confidential UN report obtained by The New Humanitarian. The breach is one of the largest ever known to have affected the world body.
The cyber attack – unreported until TNH’s investigation – started mid-July, according to the report. Dated 20 September, the report flags vulnerabilities, describes containment efforts, and includes a section titled: “Still counting our casualties”. The incident amounted to a “major meltdown”, according to a senior UN IT official familiar with the fallout, who spoke to TNH on condition of anonymity. This official provided TNH with the August 2019 alert above and several other alerts related to the breach.
In response to questions from TNH, the UN confirmed it had kept the data breach quiet.
Read more:
EXCLUSIVE: The cyber attack the UN tried to keep under wraps
[thenewhumanitarian.org, Ben Parker]
[via Techmeme]