UNICEF Leaks Personal Data of 8000 Online Learners
The United Nations (UN) children’s agency UNICEF has apologized after inadvertently leaking the personal data of users of its online learning platform, Agora.
The leak occurred on August 26, when 20,000 Agora users were accidentally emailed a spreadsheet containing the personal information of 8,253 people enrolled in a course about childhood immunization.
Among the information accidentally leaked were names, email addresses, duty stations, gender, organization, name of supervisor, and contract type.
A staff member unwittingly triggered the leak after running a report. The incident was detected by UNICEF the day after the email was sent out, and their response was swift and effective.
In an email about the leak sent to Devex, UNICEF’s media chief Najwa Mekki wrote: “Our technical teams promptly disabled the Agora functionality which allows such reports to be sent and blocked the Agora server’s ability to send out email attachments. These measures will prevent such an incident from reoccurring.”
After discovering the leak, UNICEF sent an apologetic email to Agora users. The message included an appeal for recipients to permanently delete the email containing the leaked data, erase any data downloaded, and then empty the recycle bin.
Plans are said to be in motion for UNICEF to carry out an internal assessment and review of the incident.
Learning portal Agora is free to access and open to UNICEF staff, partners, and the general public. Part of the mandatory staff training program on Agora is an information security awareness course that teaches "concepts and solutions for data protection, use of UNICEF’s information assets and best practices for cyber security at work and at home."
Commenting on the incident, senior director of security research at Tripwire Lamar Bailey said: "You can have the all the industry-leading security controls in place, but nothing stops human error.
“Training employees is often overlooked, or the investment is not as high as it needs to be. Employee security training is always a tough area. The training programs can be too simplistic, and this causes people to ignore them or blow them off.”
Source: Information Security Magazine