Data protection specialists report that UNICEF, the United Nations (UN) humanitarian assistance agency for children, mistakenly leaked the personal information of thousands of people through Agora, an online learning system. Although the official version speaks of a human error, many still fear that it is actually a hacking attack.
A couple of weeks ago, an email was mistakenly
sent to about 20k users of this learning platform; the message contained the
private information of 8,253 people enrolled in one of the UNICEF-led courses
through Agora. This platform offers various online courses on children’s rights
and humanitarian actions, as well as offering thousands of research, articles
and statistics on the status of children around the world. UNICEF
staff and external users are
members of Agora.
“This leak occurred inadvertently after
one of our users ran a report,” says a statement from UNICEF data
protection specialists. Personal details presented during this incident
include:
- Email
addresses - Gender
of users - Type
of link between the Agora user and UNICEF
UNICEF staff detected the incident one day
after mail containing personal information was sent; “The inconvenience has
already been corrected, we work to prevent something similar from occurring in
the future,” the statement adds.
All Agora users were notified of the incident,
and UNICEF requested to delete the spreadsheet containing the information
provided if they received it. The message concludes with an apology from the
organization.
International Institute of Cyber Security
(IICS) data protection experts say such incidents help cybercriminals build
huge databases for malicious purposes. As prevention measures, experts
recommend potentially affected users change their email account passwords, stay
alert to any suspicious email, and monitor their other online accounts, such as
social media profiles.
It is not yet known whether the European
authorities will investigate this incident under the General Data Protection
Regulation (DGPR); some experts believe that because it is a United Nations
agency, UNICEF could avoid data authorities’ investigation, at least for this
time. Clare Sullivan, data protection specialist at CyberSMART, mentions that
this is the most likely scenario, although it has yet to be discussed in
European courts.
In this regard, UNICEF Press Chief Najwa Mekki
said very clearly: “UNICEF is not subject to the GDPR; the official also
noted that the incident has not yet been reported to any authority.
However, the cybersecurity community believes
that the fact that UNICEF is not subject to GDPR does not mean that the agency
should not implement the strictest measures to protect the information of
staff, contributors and participants in its programs.
