‘Large volume’ of data stolen from UN agency after ransomware attack

The attack is just the latest in a string targeting the multilateral body in recent years.
The building of the UN City is pictured in Copenhagen, Denmark, on January 24, 2024. The UN City is located in Copenhagen's Nordhavn and houses 11 UN organizations with 1,500 employees from over 100 nationalities (Photo by Ida Marie Odgaard / Ritzau Scanpix / AFP) / Denmark OUT

A large volume of United Nations Development Programme data related to staffers and other internal operations was stolen and posted to a ransomware website in late March, the agency announced this week. 

The UNDP issued a statement Tuesday saying that “local IT infrastructure in UN City, Copenhagen, was targeted,” and that a “data extortion actor had stolen data which included certain human resources and procurement information.”

The statement did not detail the kind of data that was stolen from the UN’s lead agency on international development. But notifications shared with affected parties and viewed by CyberScoop said attackers were able to “access a number of servers” and steal “a large volume of data.”

The data could include dates of birth, social security numbers, bank account information, passport details, and information related to former and current staffers’ family members, as well as information related to contractors, according to notification information shared with CyberScoop.


The agency’s statement did not identify the group behind the attack. But a post on the ransomware extortion site for a group called “8Base” claimed credit for the attack on March 27, the same date flagged in the Tuesday UNDP announcement. The data was published April 3, according to the 8Base post, but a link to the data has since expired.  

8Base is a ransomware operation dating to at least March 2022, according to a June 2023 analysis from VMWare.

Various units of the sprawling United Nations apparatus have suffered cyberattacks in recent years. A January 2020 report in The New Humanitarian exposed a previously unreported 2019 attack that “resulted in a compromise of core infrastructure components,” UN spokesperson Stéphane Dujarric told the publication at the time. In September 2021, the UN acknowledged that multiple successful attacks on the organization took place after login credentials for credential software used to manage internal projects were sold on the dark web, CNN reported at the time.

The UN did not immediately respond to a request for additional information Thursday.

AJ Vicens

Written by AJ Vicens

AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).

Latest Podcasts