Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Australian Red Cross Leaks Blood Donor Data

The Australian Red Cross Blood Service apologised on Friday to donors after one of its third-party service providers inadvertently made accessible a backup database containing the personal details of 550,000 individuals.

The Australian Red Cross Blood Service apologised on Friday to donors after one of its third-party service providers inadvertently made accessible a backup database containing the personal details of 550,000 individuals.

The database was discovered on October 24 by an individual who had been scanning the Web for exposed web servers returning directory listings. He informed Australian security expert Troy Hunt, who notified the Red Cross through AusCERT.

According to Hunt, the 1.74Gb database file stored 1.3 million records. The data included names, gender, physical and email addresses, phone number, date of birth, blood type, country of birth, type of donation, donation dates, and eligibility answers.

“The database backup was published to a publicly facing website,” Hunt said. “This is really the heart of the problem because no way, no how should that ever happen. There is no good reason to place database backups on a website, let alone a publicly facing one. There are many bad reasons (usually related to convenience), but no good ones.”

The Australian Red Cross Blood Service determined that the database stored the registration information of 550,000 individuals who had donated between 2010 and 2016. An investigation revealed that the database was accessible between September 5 and October 25.

The individual who copied the database said he deleted the file, but the organization is still in the process of confirming that no one else accessed it. The incident has been blamed on human error at the third-party service provider that develops and maintains the Blood Service website, but the organization has taken full responsibility.

IDCARE, Australia and New Zealand’s national identity support service, has analyzed the incident and determined that there is low risk of direct misuse.

The Australian Red Cross Blood Service said it reported the incident to the Australian Cyber Security Centre, Federal Police and the Office of the Information Commissioner.

“NGOs should probably allocate more budget for their cybersecurity. Their public-facing web applications are usually protected very badly and may be a source of huge breaches,” Ilia Kolochenko, CEO of web security company High-Tech Bridge, told SecurityWeek. “Moreover, European NGOs should keep in mind the arrival of GDPR, and prepare themselves for it in terms of data security, incident response and all privacy requirements.”

Related Reading: 320,000 Financial Records Apparently Stolen From Payment Processor

Related Reading: Secret Data Leak Hits French Submarine Maker

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...