BreachExchange mailing list archives
UNICEF data leak reveals personal info of 8, 000 online learners
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 10 Sep 2019 08:59:24 -0500
https://www.devex.com/news/unicef-data-leak-reveals-personal-info-of-8-000-online-learners-95558 BRUSSELS — The United Nations children’s agency, UNICEF, has inadvertently leaked personal information belonging to thousands of users of its online learning portal Agora. The website offers free training courses to UNICEF staff and members of the public on issues such as child rights, humanitarian action, research, and data. On Aug. 26, an email containing personal details of 8,253 users enrolled in courses on immunization went out to nearly 20,000 Agora users. Asked about the incident, UNICEF’s media chief, Najwa Mekki, told Devex in an email: “This was an inadvertent data leak caused by an error when an internal user ran a report ... The personal information accidentally leaked may include the names, email addresses, duty stations, gender, organization, name of supervisor and contract type of individuals who had enrolled in one of these courses, to the extent that these details were included in their Agora user’s profile.” UNICEF became aware of the incident the following day. “Our technical teams promptly disabled the Agora functionality which allows such reports to be sent and blocked the Agora server’s ability to send out email attachments,” Mekki wrote. “These measures will prevent such an incident from reoccurring.” On Wednesday, Agora users were sent a message explaining that they may have received an email on Aug. 26 that “contained a spreadsheet that included the basic personal information of some of our users.” They were asked to “permanently delete the email and all copies of the file from your mailing system and download folder, as well as from your recycle bin.” In the message, UNICEF apologized for the incident and added that “an internal assessment and review was launched as soon as the issue was reported and the problem was quickly addressed to ensure that it does not happen again.” Sarah Telford, who leads the U.N.’s Centre for Humanitarian Data in The Hague, told Devex that the incident was unfortunate but praised UNICEF for being forthright in its response. Telford added that the center has just released a guidance note, which it hoped would become best practice on how humanitarian organizations can manage data incidents. Clare Sullivan, managing director of CyberSMART, a new research center at Georgetown University, told Devex that U.N. agencies are probably exempt from the European Union’s General Data Protection Regulation, which came into force in May 2018, though this is yet to be tested through case law. In the unlikely event it did fall under GDPR, Sullivan said UNICEF would need to notify relevant data protection authorities within 72 hours of becoming aware of the incident. Mekki wrote that UNICEF did not report the case to any authorities, adding that “U.N. entities are not subject to GDPR.” Even though this case involved the data of people using a training module, rather than aid recipients, Siobhan Green, a tech consultant working with aid agencies on data management and governance, told Devex that the reputational damage to humanitarian organizations from data incidents could be significant. “We are finding that individuals — especially those already vulnerable — are making decisions about what personal data they want to share based on their beliefs about how that data will be used, shared or protected. In extreme cases, we see people self-censoring or refusing services out of a sense of self-protection. Will this risk result in fewer people using our services? What is the impact of that behavior on our ability to serve these audiences?” she asked. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- UNICEF data leak reveals personal info of 8, 000 online learners Destry Winant (Sep 10)