{"id":1465,"date":"2025-01-08T23:52:21","date_gmt":"2025-01-08T23:52:21","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1465"},"modified":"2025-01-08T23:52:21","modified_gmt":"2025-01-08T23:52:21","slug":"un-agencys-job-application-database-breached-42000-records-stolen","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1465","title":{"rendered":"UN agency\u2019s job application database breached, 42,000 records stolen"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The International Civil Aviation Organization (ICAO) on Tuesday said that it is \u201cactively investigating reports of a potential information security incident allegedly linked to a threat actor known for targeting international organizations,\u201d and has initially concluded that \u201capproximately 42,000 recruitment application data records from April 2016 to July 2024\u201d were stolen.<\/p>\n

In its initial statement, the ICAO said, \u201cWe can confirm that this incident is limited to the recruitment database and does not affect any systems related to aviation safety or security operations.\u201d<\/p>\n

On Wednesday, ICAO officials elaborated on that statement during an email exchange between CSO Online and ICAO communications officer William Raillant-Clark, who said, \u201cICAO began its probe as soon as the claims were brought to our attention\u201d on January 5, 2025.<\/p>\n

But even if the systems impacting security were not directly affected, the information stolen could be used by attackers to impersonate airline officials with access to sensitive areas, according to Johannes Ullrich, the dean of research at the SANS Institute, which provides cybersecurity certifications and research.<\/p>\n

\u201cIt\u2019s very risky\u201d because \u201cwe don\u2019t know how [the attackers] are going to use the data that they now control. They could apply to jobs with that information,\u201d Ullrich said. \u201cIf they have the information from a solid job application and they can impersonate them, it could place them in places of trust. It might be in backend systems that exchange flight data and such, potentially disrupting air travel.\u201d<\/p>\n

When asked how ICAO can say that\u00a0this incident won\u2019t affect aviation safety or security, Raillant-Clark said that\u00a0the systems affected by this incident are not in any way connected or related to ICAO\u2019s aviation safety or security work.<\/p>\n

He said, \u201cwe are not in a position to validate claims or other statements made by external parties, and nor are we in a position to speculate on their intent.\u201d<\/p>\n

The agency said that the data was \u201cclaimed to be released by the threat actor known as Natohub.\u201d<\/p>\n

Reports have identified Natohub<\/a> as the alias a data thief uses on BreachForum, a cyberthief forum and marketplace<\/a>.\u00a0\u00a0<\/p>\n

Without getting specific, ICAO said, \u201cwe have implemented additional security measures to protect our systems. We are also working to identify and notify affected individuals.\u201d<\/p>\n

Extensive data stolen<\/h2>\n

\u201cThe compromised data includes recruitment-related information that applicants entered into our system, such as names, email addresses, dates of birth, and employment history,\u201d the initial ICAO statement said. \u201cThe affected data does not include financial information, passwords, passport details, or any documents uploaded by applicants.\u201d<\/p>\n

There have been many reports of attacks on job application databases because they tend to have massive amounts of personally identifiable information (PII) and other sensitive information.\u00a0<\/p>\n

Adding to the cybersecurity problem is the fact that many enterprises tend to outsource these sites to third parties who may not have the most robust protections.<\/p>\n

One of the weaknesses in job application systems is the ability for applicants to upload files. \u201cAllowing uploading of files, especially PDFs, is one of the most dangerous things a system can allow,\u201d\u00a0 Ullrich said, noting it could let attackers upload malware.<\/p>\n

\u201cThese employment application databases are always targets because they have a lot of information\u201d and many companies \u201ccollect more data than they really need,\u201d he said.\u00a0<\/p>\n

For example, Ullrich pointed to the ICAO statement that dates of birth were stolen. \u201cDo they really need to ask that that early in the process?\u201d<\/p>\n

\u201cI hope that they have strong evidence that it was not leaked,\u201d he said, adding that the best tactics to protect such information is to encrypt as much data as possible and implement an automated mechanism to move data off of a public environment into a closed secure environment as quickly as possible.\u00a0<\/p>\n

Ullrich also questioned the portion of the ICAO statement that detailed what had not been stolen. Given that breach reports are routinely updated and expanded, it\u2019s much safer to say what was definitely stolen and not discuss what initially appears to have not been stolen.<\/p>\n

Combatting these issues requires sophisticated, experienced cybersecurity talent, which \u201cyou often don\u2019t find in these outsourced vendors\u201d handling job application functions, Ullrich said.\u00a0<\/p>\n

Given that the data grabbed spanned more than eight years, it seems likely that it was stored for an extensive period.\u00a0<\/p>\n

He also questioned whether the attacker had actually targeted the UN agency, or whether it was just an attack of opportunity, where the attacker found holes in the third-party job application firm\u2019s platform and was systematically going after all of its customers.\u00a0<\/p>\n

The attacker might be just \u201ctaking out sites created by this vendor,\u201d Ullrich said. \u201cIt\u2019s very possible that [ICAO] was not targeted, and was just caught because of someone fishing for sites with a particular vulnerability.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The International Civil Aviation Organization (ICAO) on Tuesday said that it is \u201cactively investigating reports of a potential information security incident allegedly linked to a threat actor known for targeting international organizations,\u201d and has initially concluded that \u201capproximately 42,000 recruitment application data records from April 2016 to July 2024\u201d were stolen. In its initial statement, […]<\/p>\n","protected":false},"author":0,"featured_media":1452,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1465","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1465"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1465"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1465\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1452"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1465"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1465"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1465"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}