Earlier this year it was revealed that a major cyberattack on the United Nations Development Programme (UNDP) was successful, leading to the compromise of personal identifiable information (PII) from users at UN system partners.
When did it happen?
According to UNDP, it received a threat notification about the breach on March 27, 2024 local time (March 28, 2024 JST).
Who was responsible?
While UNDP has not confirmed the identity of the attackers, a group calling themselves 8Base has claimed responsibility for the attack and has published a list of companies and the data they’ve exfiltrated on the dark web.
8Base are known for their tactic of “double extortion.” In this case, attackers not only encrypt the data to hold it hostage in return for a ransom, but also steal it before encryption. The attackers then threaten the victim with both keeping the data encrypted and inaccessible and leaking or selling the stolen data publicly, potentially causing significant financial or reputational damage.
What was stolen?
UNDP reported that the stolen data included certain human resources and procurement information.
According to security site Bleeping Computer, leaked files allegedly contain personal data, accounting data, certificates, employment contracts, confidentiality agreements, invoices, receipts, and more [1].
How has UNDP responded?
UNDP disclosed that actions were immediately taken to identify the source of the threat, contain it, and determine the specifics of exposed data and affected users. Currently UNDP says it is assessing the nature and scope of the attack and maintaining communication with affected users, stakeholders, and partners across the UN system.