The Australian Red Cross Blood Service apologised on Friday to donors after one of its third-party service providers inadvertently made accessible a backup database containing the personal details of 550,000 individuals.
The database was discovered on October 24 by an individual who had been scanning the Web for exposed web servers returning directory listings. He informed Australian security expert Troy Hunt, who notified the Red Cross through AusCERT.
According to Hunt, the 1.74Gb database file stored 1.3 million records. The data included names, gender, physical and email addresses, phone number, date of birth, blood type, country of birth, type of donation, donation dates, and eligibility answers.
“The database backup was published to a publicly facing website,” Hunt said. “This is really the heart of the problem because no way, no how should that ever happen. There is no good reason to place database backups on a website, let alone a publicly facing one. There are many bad reasons (usually related to convenience), but no good ones.”
The Australian Red Cross Blood Service determined that the database stored the registration information of 550,000 individuals who had donated between 2010 and 2016. An investigation revealed that the database was accessible between September 5 and October 25.
The individual who copied the database said he deleted the file, but the organization is still in the process of confirming that no one else accessed it. The incident has been blamed on human error at the third-party service provider that develops and maintains the Blood Service website, but the organization has taken full responsibility.
IDCARE, Australia and New Zealand’s national identity support service, has analyzed the incident and determined that there is low risk of direct misuse.
The Australian Red Cross Blood Service said it reported the incident to the Australian Cyber Security Centre, Federal Police and the Office of the Information Commissioner.
“NGOs should probably allocate more budget for their cybersecurity. Their public-facing web applications are usually protected very badly and may be a source of huge breaches,” Ilia Kolochenko, CEO of web security company High-Tech Bridge, told SecurityWeek. “Moreover, European NGOs should keep in mind the arrival of GDPR, and prepare themselves for it in terms of data security, incident response and all privacy requirements.”
Related Reading: 320,000 Financial Records Apparently Stolen From Payment Processor
Related Reading: Secret Data Leak Hits French Submarine Maker