Australia: Red Cross admits to personal data leak involving 550,000 blood donors

The Australian Red Cross Blood Service as admitted that the private data of over half a million Australians have been leaked to the public. Source: ils Versemann / Shutterstock.com.

28th October 2016 

THE AUSTRALIAN Red Cross Blood Service has admitted that the private details of half a million blood donors – including their sexual histories, names and addresses – have been leaked to the public, in what is possibly the largest data breaches the country has seen.

The organization in a statement said it was informed Wednesday that a file containing donor information was placed in an “insecure environment” by a third party that develops and maintains the Blood Service’s website.

This file contained the registration information of the 550,000 donors made between 2010 and 2016.

“This information was copied by a person scanning for security vulnerabilities who then, through an intermediary, informed the Australian Cyber Emergency Response Team (AusCERT) with whom the Blood Service has membership.

“With the assistance of AusCERT, the Blood Service took immediate action to address the problem,” it said in the statement.

 

Follow

Australian Red Cross

 

✔@RedCrossAU

An important announcement from our colleagues at the @redcrossbloodau : https://twitter.com/redcrossbloodau/status/791809915706671104 …

9:37 PM - 27 Oct 2016

•  
  44 Retweets
•  
  22 likes

 

It added that the service has since been in contact with the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.

IDCare, a national identity and cyber support service, it explained, has also assessed the information accessed as “of low risk of future direct misuse”.

It added that all known copies of the data have been deleted, although investigations are still ongoing.

Red Cross also explained that its online forms do not connect to its databases, which contain more sensitive medical information.

“The Blood Service continues to take a strong approach to cyber safety so donors and the Australian public can feel confident in using our systems,” it said.

SEE ALSO: India: French shipbuilder DCNS files complaint after data leak on submarines

Included in the statement posted online was a special note of apology jointly signed by the service’s chairman Jim Birch and chief executive Shelly Park, as well as a FAQ (Frequently Asked Questions) section and a hotline number that those affected by the breach could contact.

In the note, the duo expressed their disappointment in the incident and said they would take full responsibility for the leak.

“We take full responsibility for this mistake and apologise unreservedly.

“We would like to assure you we are doing everything in our power to not only right this but to prevent it from happening again,” they wrote.

The leak was first brought to the attention of Microsoft employee and technology blogger Troy Hunt, who runs a data breach notification service.

ce.

 

Follow

Troy Hunt

 

✔@troyhunt

This is a really major security incident impacting the Red Cross Blood Bank, lot of data leaked - including mine: https://www.troyhunt.com/the-red-cross-blood-service-australias-largest-ever-leak-of-personal-data/ …

9:09 PM - 27 Oct 2016 · Gold Coast, Queensland, Australia

The Red Cross Blood Service: Australia's largest ever leak of personal data

I don't give blood as much as I should. My wife has a much better track record than me, regularly donating not just blood but plasma and platelets as well. I know this not just because it's the sort...

troyhunt.com

•  
  299299 Retweets
•  
  162162 likes

 

In a blog post explaining the chronology of events, Hunt said he was contacted earlier this week by an anonymous person who claimed he had gained access to the confidential donor data from the blood service.

He explained that the unnamed individual caught his attention when he managed to reveal to him his personal details and a 1.74GB data file containing his records. Apart from his information, the person also had his wife’s details.

“The database backup was published to a publicly facing website. This is really the heart of the problem because no way, no how should that ever happen,” he wrote in the blog post.

Hunt said he later went on to contact AusCERT, which later reached out to Red Cross.

According to Sydney Morning Herald, Australian Privacy Commissioner Timothy Pilgrim announced a probe into the breach on Friday afternoon.

“I will be opening an investigation into this matter and will work with the Red Cross to assist them in addressing the issues arising from this incident.

“The results of that investigation will be made public at its conclusion,” he was quoted saying in a statement.

“My office encourages voluntary notification of data breaches, particularly where there is a risk to an individual as a result of a breach.”