The website offers free training courses to UNICEF staff and members of the public on issues such as child rights, humanitarian action, research, and data.
On Aug. 26, an email containing personal details of 8,253 users enrolled in courses on immunization went out to nearly 20,000 Agora users.
Asked about the incident, UNICEF’s media chief, Najwa Mekki, told Devex in an email: “This was an inadvertent data leak caused by an error when an internal user ran a report ... The personal information accidentally leaked may include the names, email addresses, duty stations, gender, organization, name of supervisor and contract type of individuals who had enrolled in one of these courses, to the extent that these details were included in their Agora user’s profile.”
Data security breaches can have vast consequences in aid work. NGOs need to know they can manage the risks on their own, rather than relying solely on external service providers, experts tell Devex.
UNICEF became aware of the incident the following day. “Our technical teams promptly disabled the Agora functionality which allows such reports to be sent and blocked the Agora server’s ability to send out email attachments,” Mekki wrote. “These measures will prevent such an incident from reoccurring.”
On Wednesday, Agora users were sent a message explaining that they may have received an email on Aug. 26 that “contained a spreadsheet that included the basic personal information of some of our users.” They were asked to “permanently delete the email and all copies of the file from your mailing system and download folder, as well as from your recycle bin.”
In the message, UNICEF apologized for the incident and added that “an internal assessment and review was launched as soon as the issue was reported and the problem was quickly addressed to ensure that it does not happen again.”
Sarah Telford, who leads the U.N.’s Centre for Humanitarian Data in The Hague, told Devex that the incident was unfortunate but praised UNICEF for being forthright in its response. Telford added that the center has just released a guidance note, which it hoped would become best practice on how humanitarian organizations can manage data incidents.
Clare Sullivan, managing director of CyberSMART, a new research center at Georgetown University, told Devex that U.N. agencies are probably exempt from the European Union’s General Data Protection Regulation, which came into force in May 2018, though this is yet to be tested through case law. In the unlikely event it did fall under GDPR, Sullivan said UNICEF would need to notify relevant data protection authorities within 72 hours of becoming aware of the incident.
In 2017, a digital payment system used by Catholic Relief Services in West Africa was hacked, exposing beneficiaries' data. The NGO's CIO Karl Lowe speaks to Devex about what it learned from the experience and what advice he'd offer to others.
Mekki wrote that UNICEF did not report the case to any authorities, adding that “U.N. entities are not subject to GDPR.”
Even though this case involved the data of people using a training module, rather than aid recipients, Siobhan Green, a tech consultant working with aid agencies on data management and governance, told Devex that the reputational damage to humanitarian organizations from data incidents could be significant.
“We are finding that individuals — especially those already vulnerable — are making decisions about what personal data they want to share based on their beliefs about how that data will be used, shared or protected. In extreme cases, we see people self-censoring or refusing services out of a sense of self-protection. Will this risk result in fewer people using our services? What is the impact of that behavior on our ability to serve these audiences?” she asked.