In August 2019, the United Nations’ European IT systems were compromised. The systems in question contained potentially sensitive information on thousands of U.N. staff members, and potentially, on those they worked with, including human rights activists. But because the U.N. is exempt from the rules that govern European companies, it wasn’t obliged to publically disclose the breach or inform those affected.
The affected servers — more than 40 of them — are spread across three U.N. offices, two in Geneva, Switzerland, and one in Vienna, Austria. A leaked report from September 20, and seen by The New Humanitarian, which first reported on the breach, says the servers were initially compromised in July 2019, though it took a month before anyone realized. The artfulness of the attack suggests a state-funded group may be responsible.
Diplomatic immunity shouldn’t apply here — The U.N. exists outside of the legal confines that govern almost any other large organization. That’s useful and important when it comes to protecting activists or dissidents, or when engaging in other work that might otherwise see it muzzled, threatened or hamstrung.
But that same ability to self-govern is detrimental when it comes to things like data breaches. There’s a reason legislation threatens companies with enormous fines if they don’t disclose when user data has been compromised: without such laws, they never would, and those affected wouldn’t be able to take appropriate steps to safeguard their information nor be able to make informed, future decisions about which bodies to trust with it.
Staff wasn't notified — Instead of notifying the estimated 4,000 affected U.N. staffers, the organization simply asked all staff to change their passwords. According to a senior U.N. IT official, an estimated 400GB of data may have been accessed and leaked, including staff records, health insurance information, and details of commercial contracts.
Whether a hack concerns Jeff Bezos’ phone, Ring security cameras, or a convenience store chain, disclosure helps others avoid falling victim. Given the sensitivity of some of the information the U.N. holds, it should be compelled to disclose breaches to those affected by them immediately, if not publicly, then at least in private. The ongoing legitimacy of the organization and people’s trust in it depend on that.