The Australian Red Cross Blood Service has launched an investigation after the personal information - including names, medical details, and even blood type - of more than half a million blood donors was compromised in an online data breach.
The move follows the discovery of a 1.74GB MySQL database back-up with more than 1.28 million records that had been published to a publicly-facing website. It is understood that the volume of data leaked makes it Australia's largest breach to date.
According to the Australian Red Cross Blood Service, the file containing donor information had been placed in an “insecure environment” by a third party technology partner that develops and maintains the Blood Service’s website.
Rob Van Selm, Asia Pacific delivery director for one of the Blood Service's technology partners, Precedent, has confirmed the company is working with the organisation and AusCERT in relation to the breach.
“We’re involved in an investigation working with Red Cross and AusCERT as well," Van Selm told ARN. “We’re aware of the data breach, and at the moment, we’re working with them to try and investigate."
According to Van Selm, who is based in Precedent's Western Australia office, the CMS and web development company was engaged by the Red Cross Blood Service to develop a website for the organisation.
"We can confirm the issue has been isolated and to our knowledge the data has not been compromised. We will continue to work with necessary authorities and assist Australian Red Cross Blood Service and AusCERT in every way possible," Precedent said in a statement.
The file in question contained registration information, including the names, addresses and dates of birth of 550,000 individuals who had donated blood between 2010 and 2016.
The Australian Red Cross Blood Service has mobilised a team of security experts to conduct a forensic analysis of the incident in response to the breach.
The organisation has also established a taskforce, including independent experts to conduct a thorough investigation of governance and security structures within the Blood Service.
The Red Cross Blood Service said it has managed to delete all known copies of the archive, and has removed the vulnerability from the web developer’s server. It undertook these measures with the help of AusCERT, Australia's computer emergency response team – of which the Blood Service is a member.
“We are deeply disappointed this could happen. We take full responsibility for this mistake and apologise unreservedly,” the Blood Service’s chair, Jim Birch, and chief executive, Shelly Park, said in a joint statement – even though the information had been made public by the organisation’s technology partner.
“We would like to assure you we are doing everything in our power to not only right this but to prevent it from happening again,” they said.
The organisation has also launched a dedicated hotline and organised access to national identity and cyber support service, IDCARE, for concerned donors to find out more information about the incident.
The breach came to light after anonymous source sent security researcher, Troy Hunt, just one of out of 647 different donor tables that were publicly discoverable online.
“There's no escaping the fact that this was a major cock-up on many levels and that's the simple, honest truth,” Hunt said in a blog post.
According to Hunt, the anonymous source had simply been scanning internet IP addresses and looking for publicly exposed web servers returning directory listings.
“The database backup was published to a publicly facing website,” Hunt said.
"This is really the heart of the problem because no way, no how should that ever happen. There is no good reason to place database backups on a website, let alone a publicly facing one.
“The final piece that made all this possible was having directory browsing enabled on the server. The database backup should never have been there in the first place, but it's highly unlikely it would have been found without directory browsing enabled,” he said.
Hunt also stressed that, despite the size and severity of the breach, it should not discourage anyone from giving blood in the future.
“As important as this incident is, it pales in comparison to making a donation that could save lives,” he said.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.