550,000 Australian blood donors’ personal data made public after human error
The leak was caused by a file being placed on an unsecure server. The information leaked includes names, addresses, and dates of birth of Australians who donated or tried to donate blood from 2010 to 2016.
Announcing the breach, Red Cross Chief Executive Shelly Park blamed the personal file exposure on human error but assured the public that there is “low risk of future direct misuse.”
“On 26 October, we learned that a file containing donor information, which was located on a development website, was left unsecured by a contracted third party who develops and maintains our website,” Park said. “The issue occurred due to human error. Consequently, this file was accessed by a person outside of our organization.”
Important update from the CEO regarding donor data security: https://t.co/Fn3ePv6fvV— Red Cross Blood Au (@redcrossbloodau) October 28, 2016
The hacked file was a back-up of online inquiry forms that are submitted to the Red Cross blood donation webpage, donateblood.com.au. Park stated that access to the file had been disabled while forensic experts are helping the NGO with their investigation.
“I wish to stress that this file does not contain the deep personal records of people’s medical history or of their test results,” Park stressed.
The files do contain answers to eligibility questions, which include rather personal information, like any “at-risk” sexual behavior during the past year or recreational drug use.
The Red Cross is now notifying donors of the data breach, asking them to be vigilant for possible identity theft.
This is a really major security incident impacting the Red Cross Blood Bank, lot of data leaked - including mine: https://t.co/hz3Ave7MHc— Troy Hunt (@troyhunt) October 28, 2016
In a press release, the NGO said that the Blood Service is working with the Australian Cyber Security Centre and the Office of the Australian Information Commissioner on the matter. The statement added that so far, the investigation was able to determine that the data may have been available from September 5, 2016 to October 25, 2016.
Troy Hunt, a Microsoft employee who runs a data breach notification service, wrote in a post that the person with access to the file contacted him after gaining access to Hunt’s own personal details from the list from a 1.74GB data file containing the records.
“The database backup was published to a publicly facing website. This is really the heart of the problem because no way, no how should that ever happen,” he wrote in a blog post.