Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Australian Red Cross Leaks Blood Donor Data

The Australian Red Cross Blood Service apologised on Friday to donors after one of its third-party service providers inadvertently made accessible a backup database containing the personal details of 550,000 individuals.

The Australian Red Cross Blood Service apologised on Friday to donors after one of its third-party service providers inadvertently made accessible a backup database containing the personal details of 550,000 individuals.

The database was discovered on October 24 by an individual who had been scanning the Web for exposed web servers returning directory listings. He informed Australian security expert Troy Hunt, who notified the Red Cross through AusCERT.

According to Hunt, the 1.74Gb database file stored 1.3 million records. The data included names, gender, physical and email addresses, phone number, date of birth, blood type, country of birth, type of donation, donation dates, and eligibility answers.

“The database backup was published to a publicly facing website,” Hunt said. “This is really the heart of the problem because no way, no how should that ever happen. There is no good reason to place database backups on a website, let alone a publicly facing one. There are many bad reasons (usually related to convenience), but no good ones.”

The Australian Red Cross Blood Service determined that the database stored the registration information of 550,000 individuals who had donated between 2010 and 2016. An investigation revealed that the database was accessible between September 5 and October 25.

The individual who copied the database said he deleted the file, but the organization is still in the process of confirming that no one else accessed it. The incident has been blamed on human error at the third-party service provider that develops and maintains the Blood Service website, but the organization has taken full responsibility.

IDCARE, Australia and New Zealand’s national identity support service, has analyzed the incident and determined that there is low risk of direct misuse.

The Australian Red Cross Blood Service said it reported the incident to the Australian Cyber Security Centre, Federal Police and the Office of the Information Commissioner.

Advertisement. Scroll to continue reading.

“NGOs should probably allocate more budget for their cybersecurity. Their public-facing web applications are usually protected very badly and may be a source of huge breaches,” Ilia Kolochenko, CEO of web security company High-Tech Bridge, told SecurityWeek. “Moreover, European NGOs should keep in mind the arrival of GDPR, and prepare themselves for it in terms of data security, incident response and all privacy requirements.”

Related Reading: 320,000 Financial Records Apparently Stolen From Payment Processor

Related Reading: Secret Data Leak Hits French Submarine Maker

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...