The email was accidentally sent on August 26 by UNICEF and included the names, email addresses, gender and professional information of 8,253 users of Agora, according to a published report. The Agora program offers learning solutions to UNICEF’s staff, partners and supporters.
Nearly 20,000 Agora users received the leaked data tied to users enrolled in courses on immunization.
UNICEF media chief Najwa Mekki told Devex that the leak was the result of human error. The information was included in the email when the internal user ran a report. The leaked information also included duty stations, supervisor names and contract types of individuals who had enrolled in the courses.
Upon discovering the leak the day after the email was sent, UNICEF disabled the Agora functionality that allows these types of reports to be sent and blocked the portal’s ability to send out email attachments, Mekki told Devex. The organization believes this should prevent further incidents.
UNICEF also sent its users a message explaining that they may have received an email on Aug. 26 that “contained a spreadsheet that included the basic personal information of some of our users,” according to Devex. The message asked users to permanently delete the email and all copies of the file from their systems.
The stakes are higher for organizations that leak data since the General Data Protection Regulation (GDPR) went into effect in Europe last May, imposing heavy fines on companies that release data without authorization.
However, while this has created incentive for companies to become more vigilant to protect confidential data, leaks continue to occur, especially for organizations with limited security resources.
The UNICEF incident once again highlights the organizational importance not only of security at an infrastructure level, but also at the individual level, security experts said.
“You can have the all the industry-leading security controls in place but nothing stops human error,” said Lamar Bailey, senior director of security research at Tripwire, in an e-mail to Threatpost.
Bailey said that organizations historically have struggled with employee security training, which “is often overlooked or the investment is not as high as it needs to be.”
“The training programs can be too simplistic and this causes people to ignore them or blow them off,” he said.
That lack of interest or investment continues to result in breaches that can cause serious security issues, with cybercriminals using data leaked in these preventable occurrences to stockpile personal and account details of potential victims, said Lisa Baergen, vice president of Marketing for Nudata Security, a Mastercard company.
“Once your data has been stolen, it is used by attackers in a number of ways, including account takeover and identity fraud,” she said in an email to Threatpost. “The data lost has the potential to be lucrative in the hands of cybercriminals who can use the stolen details to accurately mimic the legitimate customer.”
(Image courtesy of UNICEF.org)