The United Nations Children’s Agency (Unicef) has suffered a data breach impacting thousands of users on its online learning portal Agora. However, the agency’s handling of the incident has drawn unusual praise from the cybersecurity industry.
The incident saw the personal data of 8,253 users of Unicef’s Agora learning portal accidentally emailed to around 20,000 users of the service on 26 August.
Unicef realised the incident, which impacted those enrolled on the portal’s immunisation courses, had occurred the following day. According to the organisation, it “promptly” disabled the features that allowed the error to be made, assuring global development news site Devex that “these measures will prevent such an incident from reoccurring”.
Its handling of the data breach has elicited a relatively positive reaction from the cybersecurity community.
“First off kudos UNICEF officials for leaning in and taking steps to limit the damage,” said Sam Curry, chief security officer, Cybereason.
“The problem though is that the word breach has a Pavlovian response in the media. We have been trained to treat all breaches the same, and they aren’t. So UNICEF is leaning in, taking it seriously, apologising, fixing and so on.”
Unicef data breach: A far cry from the megabreaches
Data breaches are rarely out of the headlines, but while the Unicef data breach is not good news for the organisaiton, it is a long way off the megabreaches that have exposed vast selections of personal data over the course of years.
“There’s a big difference between hackers targeting credit cards for instance, that they know how to monetise, and an accidental leak,” said Curry.
“Just because it’s sensitive and could be very bad doesn’t mean Snidley Whiplash is waiting behind the dumpster and making a run on liquidating the data.
“It’s sensitive also because it’s children, it’s a not for profit and we never want to think it’s ok to lose data in any way, but there remain degrees of breach and degrees of impact nonetheless.”
Improving security culture
While the Unicef data breach is far less concerning and has been better handled than other previous incidents, it still highlights the damage that user error can cause.
“Another week, another data leak. This time, unfortunately, those trying to do good are the victims,” said Felix Rosbach, product manager at comforte AG.
“What is clear is that human activity in cyber-space is still susceptible to data breaches, leaks, or exposure and sadly, with the recent wave of data breaches, it does look like data security is not being taken seriously enough.”
“This is unfortunately yet another example of where user error has led to private databases being left exposed,” added Javvad Malik, security awareness advocate at KnowBe4.
“It highlights the dire need not only for assurance controls to validate the security of databases, but also for a security culture to be embedded throughout organisations.”
A GDPR issue?
Notably, the organisation did not need to report the incident to GDPR because UN agencies are exempt from the law.
However, Malik warnsthat this should not be an excuse for effective cybersecurity.
“The fact that UN organisations are not subject to GDPR should not mean that data protection practices should fall off the radar,” said Malik.
“All companies – and specifically intergovernmental organisations – should look to improve their cybersecurity posture, ensuring all staff are aware of their responsibilities.”