The Australian Red Cross Blood Service has apologized for the largest data breach that’s affected the “Land Down Under” to date.
Shelly Park, chief executive of the Blood Service, issued an apology on 28 October in response to a breach that compromised the data of hundreds of thousands of Aussie blood donors:
“We are incredibly sorry to our donors. We are deeply disappointed this could happen. We take full responsibility and I assure the public we are doing everything in our power to not only right this but to prevent it from happening again.
“We need your continued support to donate blood and feel confident that this will not reoccur in the future.”
On 25 October, an unnamed individual contacted security researcher Troy Hunt and provided him with a dataset from donateblood.com.au.
The data consisted of a 1.74GB file with 1,286,366 records in a “donor” table for the American Red Cross Blood Service, including listings for Troy Hunt and his wife.
In total, the file contained the personal information for 550,000 unique donors, including the following bits of data:
- Physical and email address
- Date of birth
- Donor eligibility questions, including whether each donor had engaged in “sexually risky behavior” in the last 12 months
Curious, Hunt asked the user how they came into possession of the data.
Here’s how Hunt described what he was told:
“What he’d actually been doing is simply scanning internet IP addresses and looking for publicly exposed web servers returning directory listings. This is literally as simple as going to an address such as http://127.0.0.1 and seeing a list of all the files on the system (sample address only). He’d then look to see if any of those files contained a .sql extension which would indicate a database backup… and that is all. I’ll come back to why this data was there a little later.”
Hunt subsequently contacted Australia’s Computer Emergency Response Team (AusCERT), with which the Australian Red Cross had a pre-existing membership.
Since learning of the breach, the Blood Service has begun notifying everyone who applied to be a donor using the donateblood.com.au website. They’ve even set up a hotline to help reassure each and every affected user that their personal information is safe.
Clearly, the Australian Red Cross has taken responsibility for the breach. But was it their fault?
The answer: yes and no.
The user who found the data did so because one some at Precedent, a company contracted by the Blood Service to redesign and maintain donateblood.com.au, accidentally published the file (which was essentially a database backup) to a public-facing website and had enabled directory browsing enabled.
At this time, the contractor is looking into the issue to find out what happened.
In the meantime, Hunt has asked that the user delete all of the Australian Red Cross information he found. The security researcher elected to do the same instead of uploading it to the Have I Been Pwned? website
Anyone who has used donateblood.com.au to apply to be a donor should contact the hotline set up by the American Red Cross.
Also, while it’s common for consumers to back away from services that have been breached, please don’t do so in this case. The Australian Red Cross does some amazing work. They’ve owned up to what happened, so let’s continue to support them and trust in the fact that they’ll do a better job securing donors’ information in the future.