The United Nations children’s agency, UNICEF, has revealed it had “inadvertently” leaked the personal details of over 8,000 users of its online learning portal Agora.
According to a report from Devex, an email containing the personal info of 8,253 students enrolled in immunization courses were sent to nearly 200, 000 Agora users on August 26.
“This was an inadvertent data leak caused by an error when an internal user ran a report … The personal information accidentally leaked may include the names, email addresses, duty stations, gender, organization, name of supervisor and contract type of individuals who had enrolled in one of these courses, to the extent that these details were included in their Agora user’s profile,” said UNICEF’s media chief, Najwa Mekki.
Agora serves as UNICEF’s Global Hub for Learning and Development. It acts as a free portal that offers tailored learning solutions to UNICEF’s staff, partners, and supporters. Under the said platform, topics on child rights, humanitarian action, research, and data are being presented to members as part of Agora’s learning offers.
Earlier this week, Agora members were said to have received a message notifying them that they may have received an email on August 26 containing “a spreadsheet that included the basic personal information of some of our users.”
Members were then requested to “permanently delete the email and all copies of the file from your mailing system and download folder, as well as from [their] recycle bin.”
The message also included an apology and details concerning the launching of “an internal assessment and review…as soon as the issue was reported.”
“Our technical teams promptly disabled the Agora functionality which allows such reports to be sent and blocked the Agora server’s ability to send out email attachments,” Mekki told Devex. “These measures will prevent such an incident from reoccurring.”
The Head of UNICEF Media had also confirmed that UNICEF did not report the case to any authorities, explaining that “U.N. entities are not subject to GDPR.”
Siobhan Green, a tech consultant, however, told Devex that security incidents might leave significant damage to humanitarian organizations, such as UNICEF.
“We are finding that individuals — especially those already vulnerable — are making decisions about what personal data they want to share based on their beliefs about how that data will be used, shared or protected. In extreme cases, we see people self-censoring or refusing services out of a sense of self-protection. Will this risk result in fewer people using our services? What is the impact of that behaviour on our ability to serve these audiences?” she said.