UN agency Unicef praised for response to accidental data leak

The United Nations (UN) children’s agency, Unicef, has been the subject of a data leak after a member of staff inadvertently disclosed information on 8,253 people to users of its Agora free online learning platform, which offers training to Unicef staff and partners on issues pertaining to children’s rights, humanitarian action and so on.

The leak saw the data of users enrolled on courses on childhood immunisation sent to 20,000 users of the educational system towards the end of August. This included data on names, email addresses, locations, gender, organisation, supervisor names and contract types.

“This inadvertent data leak was caused by an error when an internal user ran a report,” said Unicef head of media, Najwa Mekki.

“Unicef became aware of this incident the following day. Our technical teams promptly disabled the Agora functionality allowing such reports to be sent and blocked the Agora server’s ability to send out email attachments. These measures will prevent such an incident from reoccurring,” she said.

Everybody who received the leaked file has now been requested to permanently delete the email and any copies from their mail system, download folder or recycle bin. Computer Weekly understands Unicef also plans to launch an internal assessment and review of the incident.

Sam Curry, chief security officer at Cybereason, said the organisation had taken appropriate steps to limit any damage caused.

“Kudos to Unicef officials for leaning in and taking steps to limit the damage. The problem is that the word ‘breach’ has a Pavlovian response in the media. We have been trained to treat all breaches the same, and they aren’t. So Unicef is leaning in, taking it seriously, apologising and fixing it,” he said.

Curry pointed out that there was a world of difference between hacks targeting confidential data, such as credit card numbers, that they know how to monetise, and an accidental leak.

“Just because it’s sensitive and could be very bad doesn’t mean Snidely Whiplash is waiting behind the dumpster and making a run on liquidating the data. It’s sensitive also because it’s children, it’s a not for profit and we never want to think it’s okay to lose data in any way, but there remain degrees of breach and degrees of impact nonetheless.”

Securonix technical lead Anjola Adeniyi also praised the agency for taking a sensible approach to the leak: “Though Unicef was forthright in their response as soon as they became aware of the incident, and apologised to those affected – prevention is nevertheless better than cure.

“This is yet another example of human error resulting in databases being exposed. People can often be the weakest link within cyber security, and this often stems from organisations not taking basic cyber hygiene or data security seriously enough. Security culture is essential for any organisations, and enterprises need to ensure staff are aware of the precautions they need to take to keep data secure.”

Lisa Baergen, NuData Security director, said the incident nevertheless contained important lessons for the organisation.

“Cyber criminals continue to build their database of account details and credentials. I continue to advise users to change their passwords immediately after being informed of a breach while not clicking on any links in unexpected emails, and to use unique passwords for each account they create,” said Baergen.

“Password manager apps are a great way to help keep all of those credentials safe and secure. Once your data has been stolen, it is used by attackers in a number of ways, including account takeover and identity fraud,” she said.

“We again apologise to the users who have been affected and want to reassure them that we are doing everything possible to make sure this does not happen again. Unicef takes data privacy very seriously and is committed to protecting the privacy of its online community,” added Mekki.