550,000 client details exposed
The Red Cross Blood Service has blamed a third-party contractor for a security gaffe that left the personal information of 550,000 donors public and exposed for well over a month.
A database containing registration information on donors giving blood between 2010 and 2016 — including names, addresses, dates of birth and sensitive medical data used to determine eligibility to donate — was inadvertently left in an insecure part of the company’s website.
This information was then downloaded by an individual scanning IP addresses for publicly exposed web servers returning directory listings.
The perpetrator then sent a portion of the database to Troy Hunt, a security expert who runs the Have I been pwned data breach notification services. Hunt has written about the experience on his blog, noting that this could be Australia’s largest ever leak of personal data to date.
In a joint letter, Blood Service CEO Shelly Park and Chair Jim Birch attributed the gaffe to a human error on the part of the third-party service that develops and maintains the Blood Service’s website.
“We take full responsibility for this mistake and apologise unreservedly to all affected. We take cybersecurity very seriously and we are deeply disappointed this occurred.”
Initial investigations suggest that the data may have been available from 5 September to 25 October. The Blood Service has been working with AusCERT to address the incident and they have jointly managed to delete all known copies of the archive.
But Hunt noted that it is unclear whether others could have accessed the data without the Blood Service’s knowledge. The perpetrator himself maintains that he hasn’t shared the data with anyone and has agreed to permanently delete the copy he had, Hunt said.
“However, by his own admission, we can only take his responses at face value,” he added. He praised the Red Cross Blood Service for their handling of the incident and expressed concern that the incident could leave individuals less inclined to donate blood.
As well as working with AusCERT, the Blood Service has informed the Australian Federal Police, Australian Cyber Security Centre and national identity and cyber support service IDCARE.
“We’ve mobilised a team of security experts to conduct a forensic analysis of the incident. We are also establishing a taskforce including independent experts to conduct a thorough investigation of governance and security structures within the Blood Service,” the letter states.
“Although IDCARE assessed the information accessed as of low risk of future direct misuse, there is always a risk that individuals could be contacted by cyber criminals and scammers via email and telephone (including SMS).”
CrowdStrike to buy Adaptive Shield
CrowdStrike is augmenting its SaaS security capabilities through the acquisition of Israeli-based...
LockBit named nastiest malware of 2024
LockBit, a ransomware malware known to have been used to attack Australian targets, has been...
Extreme Networks launches ZTNA solution
Extreme Networks' new ExtremeCloud Universal ZTNA solution combines cloud network access...