It has been reported that The United Nations children’s agency, UNICEF, has inadvertently leaked personal information belonging to thousands of users of its online learning portal Agora. The website offers free training courses to UNICEF staff and members of the public on issues such as child rights, humanitarian action, research, and data. An email containing personal details of 8,253 users enrolled in courses on immunization went out to nearly 20,000 Agora users.
News breaking that a UNICEF employee had inadvertently revealed the personal details of 8,253 users of its Agora online learning platform, through a piece of unstructured data, has brought the need for organisations to ensure they’re using the right tools for the right job back into focus.
The leak saw the data of users enrolled on courses on childhood immunisation sent to 20,000 users of the educational system towards the end of August. Sensitive data such as names, email addresses, locations, gender, organisation, supervisor names and contract types were revealed.
GDPR has been firmly put back at the top of the boardroom agenda by the hefty fines recently doled out by the ICO to BA and Marriott, reminding organisations that they have a duty of care to protect all clients’ and service users’ data. Recent Egress research supports this approach; 60% of the 4856 personal data breach incidents reported to the ICO in the first six months of 2019 were the result of human error.
Regardless of whether UNICEF is subject to GDPR as a United Nations organisation, data incidents like this highlight the need to ensure that staff can share sensitive data securely when they need to – with policies and technologies forming a ‘safety net’ that reduce the likelihood of human error that puts information at risk. In particular, organisations should invest in more robust risk-based protection tools that work alongside the user, enabling them to work effectively and securely.
Another week, another data leak. This time, unfortunately, those trying to do good are the victims. What is clear is that human activity in cyber-space is still susceptible to data breaches, leaks, or exposure and sadly, with the recent wave of data breaches, it does look like data security is not being taken seriously enough.
When it comes to data security and privacy, sometimes when companies try to prevent breaches, things can still go wrong.
A data-centric approach towards cybersecurity may help reduce the possibility of data exposure such as this case. When organizations go through the process of looking to determine what sensitive data they have and where it resides, data discovery and data-centric protection working together can be an effective way to shore up these security gaps. A sophisticated data protection architecture doesn’t care where the data is stored, in motion or used, including on-premise or multi-cloud environments. The objective is to protect sensitive data at its earliest point of entry, and allow deprotection only when necessary and only for applications and users with the right permission.
This is yet another example of human error resulting in databases being exposed. People can often be the weakest link within cybersecurity, and this often stems from organisations not taking basic cyber hygiene or data security seriously enough. Security culture is essential for any organisations, and enterprises need to ensure staff are aware of the precautions they need to take to keep data secure.
Though UNICEF was forthright in their response as soon as they became aware of the incident, and apologised to those affected – prevention is nevertheless better than cure.
First off kudos UNICEF officials for leaning in and taking steps to limit the damage. The problem though is that the word breach has a Pavlovian response in the media. We have been trained to treat all breaches the same, and they aren\’t. So UNICEF is leaning in, taking it seriously, apologising, fixing and so on. But there\’s a big difference between hackers targeting credit cards for instance, that they know how to monetize, and an accidental leak. Just because it\’s sensitive and could be very bad doesn\’t mean Snidley Whiplash is waiting behind the dumpster and making a run on liquidating the data. It\’s sensitive also because it\’s children, it\’s a not for profit and we never want to think it\’s ok to lose data in any way, but there remain degrees of breach and degrees of impact nonetheless.
This is unfortunately yet another example of where user error has led to private databases being left exposed. It highlights the dire need not only for assurance controls to validate the security of databases, but also for a security culture to be embedded throughout organisations. The fact that UN organisations are not subject to GDPR should not mean that data protection practices should fall off the radar. All companies – and specifically intergovernmental organisations – should look to improve their cyber security posture, ensuring all staff are aware of their responsibilities.