A data breach has exposed over a million personal and medical records of Australian citizens donating blood to the Red Cross Blood Service. It is thought to be the biggest data breach to affect the country.
It was discovered by an anonymous source that a 1.74 GB file containing 1.28 million donor records going back to 2010, was accessible via a publicly accessible website. The source notified security researcher Troy Hunt, the person behind haveibeenpwned.com.
The database was unearthed via a scan of IP address built to search for publicly exposed web servers that returned directory listings containing .sql files.
The database contains personal information such name, gender, physical and email address, phone number, date of birth as well as blood type and country of birth. It also has very sensitive data such as whether someone has engaged in high-risk sexual behaviour.
Troy Hunt said in a blog post that he was contacted by someone claiming to have data from donateblood.com.au.
“He provided me with a snippet to prove it - a snippet of my own data. There was my name, my email, gender, date of birth, phone number and the date I'd last donated. He then provided me with the entire data set, a 1.74GB file with 1,286,366 records in a "donor" table which was just one out of a total of 647 different tables,” he said.
In a statement, the Australian Red Cross said that it has made contact with the Australian Cyber Security Centre and the Australian Federal Police and notified the Office of the Australian Information Commissioner (OAIC) of the data breach.
“We are deeply disappointed this could happen. We take full responsibility for this mistake and apologise unreservedly,” said Jim Birch, chair and Shelly Park, chief executive of the Blood Service. “We would like to assure you we are doing everything in our power to not only right this but to prevent it from happening again.”
In a statement, Australian Privacy Commissioner Timothy Pilgrim said that “the Australian Red Cross Blood Service has advised my office of a data breach from the DonateBlood website.
“In doing so, Red Cross has provided details of what occurred and steps taken to contain the breach. I welcome their prompt actions to prevent any further disclosure of this highly sensitive personal information.”
He added that he will be opening an investigation into this matter and will work with the Red Cross to assist them in addressing the issues arising from this incident. The results of that investigation will be made public at its conclusion.
Steve Murphy, senior vice president EMEA, Informatica told SCMagazineUK.com that if organisations don't track where their data is moving and who holds it, it's only a matter of time before a damaging breach occurs.
“With sensitive data often passing between multiple companies during partnerships and sales, it's essential that organisations have a data-centric security strategy in place to ensure that data is secure wherever it goes,” he said.
Mark James, Security Specialist at ESET, told SC that ensuring software is patched and up to date is one of the biggest failings.
“Many webservers are using outdated software that still has vulnerabilities or flaws waiting to be exploited,” he said. “With software available to scan multiple IP addresses looking for certain types of files most of the hard work has already been done for the attacker. If the correct authentication methods were in place and periodic security reviews on all servers holding or handling our private data then a lot of these breaches would not have happened.”