“Merry belated Christmas, millennials. By the way, your data was exposed.” Jonathan Deveaux, Head of Enterprise Data Protection at comforte AG has said.

He was speaking about AIESEC, an organisation run for and by youth, that was found to have exposed four million students’ personal data on a server with no password.

Go deeper with GlobalData

Premium Insights

The gold standard of business intelligence.

Find out more

The unprotected database was found by security researcher Bob Diachenko on search engine Elasticsearch on January 11, and the database had been exposed for just under a month by then.

AIESEC that runs international exchanges toward leadership development, said in a statement it was a “minor data breach affecting 40 of our system’s users. We immediately closed the vulnerability in our system”.

It added: “No critical information such as passwords or financial data were compromised.”

Organisations need to do more to protect data

According to TechCrunch and a blog it attributes to Diachenko, the database contained applicants’ names, emails, genders, birth dates and the reasons for their application to the programme and details from their interviews.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

AIESEC says it works with tens of thousands of students and recent graduates, the young millennials, in over 100 countries, and facilitates tens of thousands of international exchanges.

“No matter what the count is, it just goes to continue to prove a major point – companies all around the world are not all protecting personal data. When writing personally identifiable information on to a database or file, organisations need to do more,” Deveaux commented on the breach.

“Even just following the basics sometimes, would help. Even though this company is a non-profit organisation, GDPR fines may still apply.  If “Taylor Smith” was tokenized and protected as ‘FSLIDB ZPMDQ’ we wouldn’t be having this issue.”

GDPR applies to millennial data breach

AIESEC said in its statement: “[We] did a full assessment of our infrastructure and security systems to ensure that no further vulnerabilities are present in our system.”

Laurin Stahl, AEISEC’s global vice president of platforms told TechCrunch that the organisation had contacted the 40 individuals affected.

It submitted a report to the Dutch Data Protection Authority three days after notified of the breach, consulted with GDPR lawyers and then filed a case in their internal logs and marked that case as closed.

AIESEC could face a maximum fine of €20m or 4% of its annual revenue under the GDPR, as its platform and infrastructure are hosted in the EU.