This website uses cookies for anonymised analytics and for core features such as voting on polls and comments. See our privacy and cookies policies for more information.

Get TFN updates
The voice of Scotland’s vibrant voluntary sector

Published by Scottish Council for Voluntary Organisations

TFN is published by the Scottish Council for Voluntary Organisations, Mansfield Traquair Centre, 15 Mansfield Place, Edinburgh, EH3 6BB. The Scottish Council for Voluntary Organisations (SCVO) is a Scottish Charitable Incorporated Organisation. Registration number SC003558.

Thousands of personal details leaked in data breach


​Leak not thought to invoke GDPR legislation

Unicef has leaked personal information belonging to thousands of users of its online learning portal Agora.

Agora offers free training courses to its staff and members of the public on issues such as child rights, humanitarian action, research and data.

An email containing personal details of 8,253 users enrolled in courses on immunisation went out to nearly 20,000 users of the site.

Najwa Mekki, Unicef’s media chief, said the error was inadvertently caused by when an internal user ran a report.

“The personal information accidentally leaked may include the names, email addresses, duty stations, gender, organisation, name of supervisor and contract type of individuals who had enrolled in one of these courses, to the extent that these details were included in their Agora user’s profile,” said Mekki.

The leak happened on 26 August. Unicef said it took action the next day.

“Our technical teams promptly disabled the Agora functionality which allows such reports to be sent and blocked the Agora server’s ability to send out email attachments,” Mekki said. “These measures will prevent such an incident from reoccurring.”

However managing director of Clare Sullivan, CyberSMART, said the UN agencies are probably exempt from the EU’s General Data Protection Regulation (GDPR).

“If a Unicef data breach were to be the concern of the GDPR, then the organisation would have to notify relevant data protection authorities within 72 hours of the leak having been discovered.

"The case was not reported to any further authorities.”



Be the first to comment.