“Merry belated Christmas, millennials. By the way, your data was exposed.” Jonathan Deveaux, Head of Enterprise Data Protection at comforte AG has said.

He was speaking about AIESEC, an organisation run for and by youth, that was found to have exposed four million students’ personal data on a server with no password.

The unprotected database was found by security researcher Bob Diachenko on search engine Elasticsearch on January 11, and the database had been exposed for just under a month by then.

AIESEC that runs international exchanges toward leadership development, said in a statement it was a “minor data breach affecting 40 of our system’s users. We immediately closed the vulnerability in our system”.

It added: “No critical information such as passwords or financial data were compromised.”

Organisations need to do more to protect data

According to TechCrunch and a blog it attributes to Diachenko, the database contained applicants’ names, emails, genders, birth dates and the reasons for their application to the programme and details from their interviews.

AIESEC says it works with tens of thousands of students and recent graduates, the young millennials, in over 100 countries, and facilitates tens of thousands of international exchanges.

“No matter what the count is, it just goes to continue to prove a major point – companies all around the world are not all protecting personal data. When writing personally identifiable information on to a database or file, organisations need to do more,” Deveaux commented on the breach.

“Even just following the basics sometimes, would help. Even though this company is a non-profit organisation, GDPR fines may still apply.  If “Taylor Smith” was tokenized and protected as ‘FSLIDB ZPMDQ’ we wouldn’t be having this issue.”

GDPR applies to millennial data breach

AIESEC said in its statement: “[We] did a full assessment of our infrastructure and security systems to ensure that no further vulnerabilities are present in our system.”

Laurin Stahl, AEISEC’s global vice president of platforms told TechCrunch that the organisation had contacted the 40 individuals affected.

It submitted a report to the Dutch Data Protection Authority three days after notified of the breach, consulted with GDPR lawyers and then filed a case in their internal logs and marked that case as closed.

AIESEC could face a maximum fine of €20m or 4% of its annual revenue under the GDPR, as its platform and infrastructure are hosted in the EU.