There’s not a single organization that isn’t susceptible to data compromises. The list of various organizations and services that have been through data breaches is getting longer on a daily basis. And now, apparently, the Australian Red Cross should be added.
Australian Red Cross Data Breach of 550,000 Blood Donors
The organization said that its blood donor service discovered that registration information of 550,000 blood donors had been compromised. Who is to blame? According to the Red Cross, a human error by a third-party contractor is at fault.
The worst thing about this data privacy incident is that nobody knows how many people have obtained the data. Furthermore, the data from 2010 to 2016 was on the website donateblood.com.au from September 5 to October 25, 2016. The database backup includes 1.74GB and 1.3 million records. The database has sensitive information about blood donors, including name, gender, physical address, email address, phone number, date of birth, blood type, country of birth, and previous donations.
As with every other major data breach, Troy Hunt from HaveIBeenPwned has made an analysis and has also expressed his own opinion on the matter. This is what he wrote on his personal blog:
On Tuesday morning, I was contacted by someone […]. He claimed to have data from donateblood.com.au and he provided me with a snippet to prove it – a snippet of my own data. There was my name, my email, gender, date of birth, phone number and the date I’d last donated. He then provided me with the entire data set, a 1.74GB file with 1,286,366 records in a “donor” table which was just one out of a total of 647 different tables. I checked my wife’s record and found all the same info as I had albeit across 9 different records reflecting the different occasions she’d donated. In addition to the fields in my data, her data also had our home address and her blood type. There was no doubt in my mind that this data was legitimate.
What has the Australian Red Cross said?
The organization issued an apology statement, saying that “we are deeply disappointed this could happen. We take full responsibility for this mistake and apologise unreservedly.”
On 26 October the Blood Service became aware a file containing donor information was placed in an insecure environment by a third party that develops and maintains the Blood Service’s website. This file contained registration information of 550,000 donors made between 2010 and 2016. Included in the file was information such as names, addresses and dates of birth.
The data was copied by a person scanning for security vulnerabilities who then, through an intermediary, informed the Australian Cyber Emergency Response Team (AusCERT) with whom the Blood Service has membership, the Red Cross added.