[BreachExchange] UNICEF data leak reveals personal info of 8, 000 online learners

Destry Winant destry at riskbasedsecurity.com
Tue Sep 10 09:59:24 EDT 2019


BRUSSELS — The United Nations children’s agency, UNICEF, has
inadvertently leaked personal information belonging to thousands of
users of its online learning portal Agora.

The website offers free training courses to UNICEF staff and members
of the public on issues such as child rights, humanitarian action,
research, and data.

On Aug. 26, an email containing personal details of 8,253 users
enrolled in courses on immunization went out to nearly 20,000 Agora

Asked about the incident, UNICEF’s media chief, Najwa Mekki, told
Devex in an email: “This was an inadvertent data leak caused by an
error when an internal user ran a report ... The personal information
accidentally leaked may include the names, email addresses, duty
stations, gender, organization, name of supervisor and contract type
of individuals who had enrolled in one of these courses, to the extent
that these details were included in their Agora user’s profile.”

UNICEF became aware of the incident the following day. “Our technical
teams promptly disabled the Agora functionality which allows such
reports to be sent and blocked the Agora server’s ability to send out
email attachments,” Mekki wrote. “These measures will prevent such an
incident from reoccurring.”

On Wednesday, Agora users were sent a message explaining that they may
have received an email on Aug. 26 that “contained a spreadsheet that
included the basic personal information of some of our users.” They
were asked to “permanently delete the email and all copies of the file
from your mailing system and download folder, as well as from your
recycle bin.”

In the message, UNICEF apologized for the incident and added that “an
internal assessment and review was launched as soon as the issue was
reported and the problem was quickly addressed to ensure that it does
not happen again.”

Sarah Telford, who leads the U.N.’s Centre for Humanitarian Data in
The Hague, told Devex that the incident was unfortunate but praised
UNICEF for being forthright in its response. Telford added that the
center has just released a guidance note, which it hoped would become
best practice on how humanitarian organizations can manage data

Clare Sullivan, managing director of CyberSMART, a new research center
at Georgetown University, told Devex that U.N. agencies are probably
exempt from the European Union’s General Data Protection Regulation,
which came into force in May 2018, though this is yet to be tested
through case law. In the unlikely event it did fall under GDPR,
Sullivan said UNICEF would need to notify relevant data protection
authorities within 72 hours of becoming aware of the incident.

Mekki wrote that UNICEF did not report the case to any authorities,
adding that “U.N. entities are not subject to GDPR.”

Even though this case involved the data of people using a training
module, rather than aid recipients, Siobhan Green, a tech consultant
working with aid agencies on data management and governance, told
Devex that the reputational damage to humanitarian organizations from
data incidents could be significant.

“We are finding that individuals — especially those already vulnerable
— are making decisions about what personal data they want to share
based on their beliefs about how that data will be used, shared or
protected. In extreme cases, we see people self-censoring or refusing
services out of a sense of self-protection. Will this risk result in
fewer people using our services? What is the impact of that behavior
on our ability to serve these audiences?” she asked.

More information about the BreachExchange mailing list