The Australian Red Cross Blood Service apologised on Friday to donors after one of its third-party service providers inadvertently made accessible a backup database containing the personal details of 550,000 individuals.
The database was discovered on October 24 by an individual who had been scanning the Web for exposed web servers returning directory listings. He informed Australian security expert Troy Hunt, who notified the Red Cross through AusCERT.
According to Hunt, the 1.74Gb database file stored 1.3 million records. The data included names, gender, physical and email addresses, phone number, date of birth, blood type, country of birth, type of donation, donation dates, and eligibility answers.
“The database backup was published to a publicly facing website,” Hunt said. “This is really the heart of the problem because no way, no how should that ever happen. There is no good reason to place database backups on a website, let alone a publicly facing one. There are many bad reasons (usually related to convenience), but no good ones.”
The Australian Red Cross Blood Service determined that the database stored the registration information of 550,000 individuals who had donated between 2010 and 2016. An investigation revealed that the database was accessible between September 5 and October 25.
The individual who copied the database said he deleted the file, but the organization is still in the process of confirming that no one else accessed it. The incident has been blamed on human error at the third-party service provider that develops and maintains the Blood Service website, but the organization has taken full responsibility.
IDCARE, Australia and New Zealand’s national identity support service, has analyzed the incident and determined that there is low risk of direct misuse.
The Australian Red Cross Blood Service said it reported the incident to the Australian Cyber Security Centre, Federal Police and the Office of the Information Commissioner.
“NGOs should probably allocate more budget for their cybersecurity. Their public-facing web applications are usually protected very badly and may be a source of huge breaches,” Ilia Kolochenko, CEO of web security company High-Tech Bridge, told SecurityWeek. “Moreover, European NGOs should keep in mind the arrival of GDPR, and prepare themselves for it in terms of data security, incident response and all privacy requirements.”
Related Reading: 320,000 Financial Records Apparently Stolen From Payment Processor
Related Reading: Secret Data Leak Hits French Submarine Maker
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
