Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Australian Red Cross Leaks Blood Donor Data

The Australian Red Cross Blood Service apologised on Friday to donors after one of its third-party service providers inadvertently made accessible a backup database containing the personal details of 550,000 individuals.

The Australian Red Cross Blood Service apologised on Friday to donors after one of its third-party service providers inadvertently made accessible a backup database containing the personal details of 550,000 individuals.

The database was discovered on October 24 by an individual who had been scanning the Web for exposed web servers returning directory listings. He informed Australian security expert Troy Hunt, who notified the Red Cross through AusCERT.

According to Hunt, the 1.74Gb database file stored 1.3 million records. The data included names, gender, physical and email addresses, phone number, date of birth, blood type, country of birth, type of donation, donation dates, and eligibility answers.

“The database backup was published to a publicly facing website,” Hunt said. “This is really the heart of the problem because no way, no how should that ever happen. There is no good reason to place database backups on a website, let alone a publicly facing one. There are many bad reasons (usually related to convenience), but no good ones.”

The Australian Red Cross Blood Service determined that the database stored the registration information of 550,000 individuals who had donated between 2010 and 2016. An investigation revealed that the database was accessible between September 5 and October 25.

The individual who copied the database said he deleted the file, but the organization is still in the process of confirming that no one else accessed it. The incident has been blamed on human error at the third-party service provider that develops and maintains the Blood Service website, but the organization has taken full responsibility.

IDCARE, Australia and New Zealand’s national identity support service, has analyzed the incident and determined that there is low risk of direct misuse.

The Australian Red Cross Blood Service said it reported the incident to the Australian Cyber Security Centre, Federal Police and the Office of the Information Commissioner.

Advertisement. Scroll to continue reading.

“NGOs should probably allocate more budget for their cybersecurity. Their public-facing web applications are usually protected very badly and may be a source of huge breaches,” Ilia Kolochenko, CEO of web security company High-Tech Bridge, told SecurityWeek. “Moreover, European NGOs should keep in mind the arrival of GDPR, and prepare themselves for it in terms of data security, incident response and all privacy requirements.”

Related Reading: 320,000 Financial Records Apparently Stolen From Payment Processor

Related Reading: Secret Data Leak Hits French Submarine Maker

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.