UNICEF exposed personal details of over 8,000 users in bulk email
Personal details of thousands of people who use UNICEF’s online learning portal Agora were exposed to many others in August when an email sent out by the organisation included their names, email addresses, gender, and professional information.
The said email was generated by Agora’s server and emailed to nearly 20,000 users of the online learning portal on 26th August before being recalled the following day when UNICEF learned about the breach.
According to UNICEF, personal details of 8,253 Agora users that were exposed via the email included “names, email addresses, duty stations, gender, organisation, name of supervisor and contract type of individuals who had enrolled in one of these courses”.
“Our technical teams promptly disabled the Agora functionality which allows such reports to be sent and blocked the Agora server’s ability to send out email attachments. These measures will prevent such an incident from reoccurring,” said Najwa Mekki, UNICEF’s media chief to Devex.
Aside from fixing the reason for the breach, UNICEF also wrote to all 20,000 recipients of the email, asking them to permanently delete the email and all downloaded files as the email “contained a spreadsheet that included the basic personal information of some of our users”.
Data-centric protection tools may prevent data exposure via emails
Commenting on the exposure of personal data of 8,253 Agora users, Felix Rosbach, product manager at comforte AG, said that a data-centric approach towards cybersecurity may help reduce the possibility of data exposure such as this case.
“When organisations go through the process of looking to determine what sensitive data they have and where it resides, data discovery and data-centric protection working together can be an effective way to shore up these security gaps.
“A sophisticated data protection architecture doesn’t care where the data is stored, in motion or used, including on-premise or multi-cloud environments. The objective is to protect sensitive data at its earliest point of entry, and allow deprotection only when necessary and only for applications and users with the right permission,” he added.
Exposure of sensitive information of employees or members of the public by organisations via email is not a rare occurrence even though GDPR has raised the cost of breaches by a large extent since last year.
In April this year, the UK government’s Department for Digital, Culture, Media & Sport leaked email addresses of three hundred journalists in an email announcing the introduction of age filters in adult webstes.
In another similar incident in the same month, the Home Office leaked email addresses of hundreds of Windrush migrants when it sent a series of emails to migrants to advise them about a new compensation scheme.
Before sending the emails, the Home Office failed to mask email addresses by entering them in the ‘bcc field’, thereby leaving email addresses of hundreds of migrants visible to others. After the breach was discovered, Immigration Minister Caroline Nokes issued an apology for the “administrative error”, stating that an internal review had been launched to investigate the breach.