UNICEF Leaks: UNICEF (United Nations Children’s Fund or United Nations International Children’s Emergency Fund) Children’s Agency of the United Nations (UN) apologized after accidentally leaking user personal data from its online learning platform, Agora.
The leak occurred on 26th August, when 20,000 Agora users were accidentally emailed a spreadsheet containing the personal information of 8,253 people enrolled in a course about childhood immunization.
Among the information accidentally leaked were names, gender, email addresses, organization, contract type, duty stations, and name of the supervisor.
A staff member unwittingly triggered the leak after running a report. The incident was detected by UNICEF the day after the email was sent out, and their response was swift and effective.
In an email about the leak sent to Devex, UNICEF’s media chief Najwa Mike wrote: “Our technical experts quickly disabled the Agora functionality, allowing the sending of such reports and blocking the possibility of the Agora server to send email attachments. All such measures will restrict a recurrence of such an incidence.”
After discovering the UNICEF Leaks sent an apologetic email to Agora users. The message included an appeal for recipients to permanently delete the email containing the leaked data, erase any data downloaded, and then empty the recycle bin.
Plans are said to be in motion for UNICEF to carry out an internal assessment and review of the incident.
Learning portal Agora is free to access and open to UNICEF staff, partners and the general public. Part of the mandatory staff training program on Agora is an information security awareness course that teaches “data protection concepts and solutions, the use of UNICEF’s information resources and best cyber security practices at the job and at home.”
Commenting on the incident, senior director of security research at Tripwire Lamar Bailey said: “You can have the all the industry-leading security controls in place, but nothing stops human error. Training employees are often overlooked, or the investment is not as high as it needs to be. Employee security training is always a tough area. Training programs can be rather simplistic, resulting in individuals, ignoring or blowing them off.”