Comment: UNICEF Data Leak Reveals Personal Info Of 8,000 Online Learners

It has been reported that The United Nations children’s agency, UNICEF, has inadvertently leaked personal information belonging to thousands of users of its online learning portal Agora. The website offers free training courses to UNICEF staff and members of the public on issues such as child rights, humanitarian action, research, and data. An email containing personal details of 8,253 users enrolled in courses on immunization went out to nearly 20,000 Agora users.

Notify of
6 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Lisa Baergen
Lisa Baergen , VP of Marketing
InfoSec Expert
September 11, 2019 2:29 pm

Cybercriminals continue to build their database of account details and credentials. I continue to advise users to change their passwords immediately after being informed of a breach while not clicking on any links in unexpected emails, and to use unique passwords for each account they create. Password manager apps are a great way to help keep all of those credentials safe and secure. Once your data has been stolen, it is used by attackers in a number of ways, including account takeover and identity fraud.

Recently, we’ve seen a reduction in the impact of that stolen data as more and more institutions are implementing user authentication solutions that reduce the value of stolen data stopping the attacks. The data lost has the potential to be lucrative in the hands of cybercriminals who can use the stolen details to accurately mimic the legitimate customer in order to make fraudulent purchases, create new accounts, or facilitate a myriad of further cybercrime tactics.

By using a layered approach to digital security with behavioural analytics and passive biometric technologies, organisations can look across multiple aspects of the user’s interaction, instead of relying on static authentication information that is overly compromised. This layered approach devalues data obtained from breaches or social engineering attacks, as the attackers do not have enough data to access a victim’s account or make illegitimate purchases. Additionally, it creates a dynamic and intelligent authentication solution that is seamless, frictionless, and unobtrusive to consumers.

Last edited 2 years ago by Lisa Baergen
Javvad Malik
Javvad Malik , Security Awareness Advocate
InfoSec Expert
September 11, 2019 2:32 pm

This is unfortunately yet another example of where user error has led to private databases being left exposed. It highlights the dire need not only for assurance controls to validate the security of databases, but also for a security culture to be embedded throughout organisations. The fact that UN organisations are not subject to GDPR should not mean that data protection practices should fall off the radar. All companies – and specifically intergovernmental organisations – should look to improve their cyber security posture, ensuring all staff are aware of their responsibilities.

Last edited 2 years ago by Javvad Malik
Sam Curry
Sam Curry , Chief Security Officer
InfoSec Expert
September 11, 2019 2:36 pm

First off kudos UNICEF officials for leaning in and taking steps to limit the damage. The problem though is that the word breach has a Pavlovian response in the media. We have been trained to treat all breaches the same, and they aren\’t. So UNICEF is leaning in, taking it seriously, apologising, fixing and so on. But there\’s a big difference between hackers targeting credit cards for instance, that they know how to monetize, and an accidental leak. Just because it\’s sensitive and could be very bad doesn\’t mean Snidley Whiplash is waiting behind the dumpster and making a run on liquidating the data. It\’s sensitive also because it\’s children, it\’s a not for profit and we never want to think it\’s ok to lose data in any way, but there remain degrees of breach and degrees of impact nonetheless.

Last edited 2 years ago by Sam Curry
Anjola Adeniyi
Anjola Adeniyi , Technical Leader
InfoSec Expert
September 13, 2019 10:39 am

This is yet another example of human error resulting in databases being exposed. People can often be the weakest link within cybersecurity, and this often stems from organisations not taking basic cyber hygiene or data security seriously enough. Security culture is essential for any organisations, and enterprises need to ensure staff are aware of the precautions they need to take to keep data secure.

Though UNICEF was forthright in their response as soon as they became aware of the incident, and apologised to those affected – prevention is nevertheless better than cure.

Last edited 2 years ago by Anjola Adeniyi
Felix Rosbach
Felix Rosbach , Product Manager
InfoSec Expert
September 13, 2019 10:57 am

Another week, another data leak. This time, unfortunately, those trying to do good are the victims. What is clear is that human activity in cyber-space is still susceptible to data breaches, leaks, or exposure and sadly, with the recent wave of data breaches, it does look like data security is not being taken seriously enough.

When it comes to data security and privacy, sometimes when companies try to prevent breaches, things can still go wrong.

A data-centric approach towards cybersecurity may help reduce the possibility of data exposure such as this case. When organizations go through the process of looking to determine what sensitive data they have and where it resides, data discovery and data-centric protection working together can be an effective way to shore up these security gaps. A sophisticated data protection architecture doesn’t care where the data is stored, in motion or used, including on-premise or multi-cloud environments. The objective is to protect sensitive data at its earliest point of entry, and allow deprotection only when necessary and only for applications and users with the right permission.

Last edited 2 years ago by Felix Rosbach
Tony Pepper
Tony Pepper , CEO
InfoSec Expert
September 16, 2019 3:22 pm

News breaking that a UNICEF employee had inadvertently revealed the personal details of 8,253 users of its Agora online learning platform, through a piece of unstructured data, has brought the need for organisations to ensure they’re using the right tools for the right job back into focus.

The leak saw the data of users enrolled on courses on childhood immunisation sent to 20,000 users of the educational system towards the end of August. Sensitive data such as names, email addresses, locations, gender, organisation, supervisor names and contract types were revealed.

GDPR has been firmly put back at the top of the boardroom agenda by the hefty fines recently doled out by the ICO to BA and Marriott, reminding organisations that they have a duty of care to protect all clients’ and service users’ data. Recent Egress research supports this approach; 60% of the 4856 personal data breach incidents reported to the ICO in the first six months of 2019 were the result of human error.

Regardless of whether UNICEF is subject to GDPR as a United Nations organisation, data incidents like this highlight the need to ensure that staff can share sensitive data securely when they need to – with policies and technologies forming a ‘safety net’ that reduce the likelihood of human error that puts information at risk. In particular, organisations should invest in more robust risk-based protection tools that work alongside the user, enabling them to work effectively and securely.

Last edited 2 years ago by Tony Pepper
Information Security Buzz
Would love your thoughts, please comment.x