550,000 client details exposed


By Dylan Bushell-Embling
Monday, 31 October, 2016

550,000 client details exposed

The Red Cross Blood Service has blamed a third-party contractor for a security gaffe that left the personal information of 550,000 donors public and exposed for well over a month.

A database containing registration information on donors giving blood between 2010 and 2016 — including names, addresses, dates of birth and sensitive medical data used to determine eligibility to donate — was inadvertently left in an insecure part of the company’s website.

This information was then downloaded by an individual scanning IP addresses for publicly exposed web servers returning directory listings.

The perpetrator then sent a portion of the database to Troy Hunt, a security expert who runs the Have I been pwned data breach notification services. Hunt has written about the experience on his blog, noting that this could be Australia’s largest ever leak of personal data to date.

In a joint letter, Blood Service CEO Shelly Park and Chair Jim Birch attributed the gaffe to a human error on the part of the third-party service that develops and maintains the Blood Service’s website.

“We take full responsibility for this mistake and apologise unreservedly to all affected. We take cybersecurity very seriously and we are deeply disappointed this occurred.”

Initial investigations suggest that the data may have been available from 5 September to 25 October. The Blood Service has been working with AusCERT to address the incident and they have jointly managed to delete all known copies of the archive.

But Hunt noted that it is unclear whether others could have accessed the data without the Blood Service’s knowledge. The perpetrator himself maintains that he hasn’t shared the data with anyone and has agreed to permanently delete the copy he had, Hunt said.

“However, by his own admission, we can only take his responses at face value,” he added. He praised the Red Cross Blood Service for their handling of the incident and expressed concern that the incident could leave individuals less inclined to donate blood.

As well as working with AusCERT, the Blood Service has informed the Australian Federal Police, Australian Cyber Security Centre and national identity and cyber support service IDCARE.

“We’ve mobilised a team of security experts to conduct a forensic analysis of the incident. We are also establishing a taskforce including independent experts to conduct a thorough investigation of governance and security structures within the Blood Service,” the letter states.

“Although IDCARE assessed the information accessed as of low risk of future direct misuse, there is always a risk that individuals could be contacted by cyber criminals and scammers via email and telephone (including SMS).”

Image courtesy of Wellcome Images under CC

Related News

Digital trust leaders outperform their peers: research

Companies categorised as leaders in implementing digital trust strategies are reaping the...

IT decision-makers believe AI is key to protect against cyber threats: report

According to reseach, 40% of Australian IT decision-makers believe the use of AI will help them...

New Relic upgrades app security testing suite

The New Relic Interactive Application Security Testing solution has been upgraded with new...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd