The Australian Red Cross Blood Service is in damage control after detailed personal information about 550,000 donors was accidentally leaked online.
In what may be Australia’s biggest ever data breach, almost 1.3 million records of blood donations were found in a database backup that was published to a public-facing website.
The 1.74GB database file was found by an individual who simply scanned internet IP addresses “looking for publicly-exposed web servers returning directory listings”, and then looked through the directory for .sql files.
Alarmed, that individual turned over a small sample – and then the full file – to Troy Hunt, who runs the data breach notification service ‘Have I been pwned’.
Hunt’s service allows internet users to determine whether they – through an email address – have fallen victim to a data breach or hack.
Alarmed at the size of the file before him and the sensitivity of the data it contained, Hunt referred it to AusCERT, Australia’s computer emergency response team, whom he trusted “to take the incident seriously and handle it ethically”.
“I knew they were properly equipped with the right people and processes to take something with this degree of sensitivity and do the right thing by those impacted, my wife and I included amongst a huge number of other Aussies,” Hunt said.
Over the course of this week, Hunt and AusCERT worked with the Red Cross to contain the error and prepare for some of the fallout.
That culminated in an extensive statement and apology from the Red Cross today, and a pledge by the organisation to individually contact all of those affected.
Hunt said that it was not the Red Cross that inadvertently put the back-up file online, but one of its “partners”, who has not been identified.
“This was a human error on the part of the third party service that develops and maintains the Blood Service’s website,” the service said in a statement.
“We take full responsibility for this mistake and apologise unreservedly to all affected.
“We take cyber security very seriously and we are deeply disappointed this occurred.”
While Red Cross itself did not make the error, Hunt believed it was “highly unlikely there was a valid reason for them to provide the partner with such an extensive amount of data” in the first place.
“I'm sure there will be many questions asked as to how so much information should have been shared in the first place and indeed how much is shared in the future,” Hunt said.
Hunt said both he and the finder of the file had purged it from their computers, confident that the Red Cross would handle the incident properly.
But whether anyone else has it is an open question.
“Who else has the data? This is the question which is most concerning and the only answer anyone can confidently give is ‘we don't know’,” Hunt said.
“Part of the reason for this is that the mechanism used by the guy that found it is very simple and very widespread.
“Scanning the internet for everything from vulnerable code to connected devices to publicly facing backup files is something that happens constantly by many different parties.”
The Red Cross said in a statement that “to our knowledge all known copies of the data have been deleted.” However, investigations are continuing, it said.
“IDCARE, a national identity and cyber support service, has assessed the information accessed as of low risk of future direct misuse,” the blood organisation said.
The Office of the Australian Information Commissioner has also been informed.
The Red Cross said initial indications were that the file had been publicly exposed on the internet for the best part of two months.
“At this stage we understand the data may have been available from 5 September 2016 to 25 October 2016,” it said.
“Our forensic experts are working to confirm the exact dates.”
Both the blood service and Hunt sought to reassure the public that it was still safe to donate blood.
“The Blood Service continues to take a strong approach to cyber safety so donors and the Australian public can feel confident in using our systems,” the service said.
Hunt said that when he started looking into the breach, he “was really conscious … that the incident would make life hard on the Red Cross.”
“It's going to cost them money, it's bad publicity and there's a real chance that people may actually feel less inclined to give blood,” he said.
“I don't like that my data was exposed in this way but let us not lose focus on life's bigger issues.”