Hackers break into UNICEF and access personal information from thousands of people

Data protection specialists report that UNICEF, the United Nations (UN) humanitarian assistance agency for children, mistakenly leaked the personal information of thousands of people through Agora, an online learning system. Although the official version speaks of a human error, many still fear that it is actually a hacking attack.

A couple of weeks ago, an email was mistakenly sent to about 20k users of this learning platform; the message contained the private information of 8,253 people enrolled in one of the UNICEF-led courses through Agora. This platform offers various online courses on children’s rights and humanitarian actions, as well as offering thousands of research, articles and statistics on the status of children around the world. UNICEF staff and external users are members of Agora.

“This leak occurred inadvertently after one of our users ran a report,” says a statement from UNICEF data protection specialists. Personal details presented during this incident include:

  • Email addresses
  • Gender of users
  • Type of link between the Agora user and UNICEF

UNICEF staff detected the incident one day after mail containing personal information was sent; “The inconvenience has already been corrected, we work to prevent something similar from occurring in the future,” the statement adds.

All Agora users were notified of the incident, and UNICEF requested to delete the spreadsheet containing the information provided if they received it. The message concludes with an apology from the organization.

International Institute of Cyber Security (IICS) data protection experts say such incidents help cybercriminals build huge databases for malicious purposes. As prevention measures, experts recommend potentially affected users change their email account passwords, stay alert to any suspicious email, and monitor their other online accounts, such as social media profiles.

It is not yet known whether the European authorities will investigate this incident under the General Data Protection Regulation (DGPR); some experts believe that because it is a United Nations agency, UNICEF could avoid data authorities’ investigation, at least for this time. Clare Sullivan, data protection specialist at CyberSMART, mentions that this is the most likely scenario, although it has yet to be discussed in European courts.

In this regard, UNICEF Press Chief Najwa Mekki said very clearly: “UNICEF is not subject to the GDPR; the official also noted that the incident has not yet been reported to any authority.

However, the cybersecurity community believes that the fact that UNICEF is not subject to GDPR does not mean that the agency should not implement the strictest measures to protect the information of staff, contributors and participants in its programs.