In late 2016, the Australian Red Cross Blood Service made headlines for all the wrong reasons after it emerged that the personal information of more than half a million blood donors had somehow found its way onto a publicly-facing website.
It was discovered that a file containing donor information, including names, gender, addresses, blood type, and phone numbers, had been placed in an non-secure environment by a third party technology partner that had developed and maintained the Blood Service’s website.
Rob Van Selm, Asia Pacific delivery director for one of the Blood Service's technology partners, Precedent, subsequently confirmed the company was working with the organisation in relation to the breach.
The breach came to light after an anonymous source sent security researcher, Troy Hunt, one of 647 different donor tables that were publicly discoverable online. The 1.74GB MySQL database back-up that had been discovered online contained more than 1.28 million records.
“There's no escaping the fact that this was a major cock-up on many levels and that's the simple, honest truth,” Hunt said in a blog post at the time.
The incident was remarkable due to the sheer volume of information that had been compromised – with some pundits at the time referring to it as Australia’s largest data breach to date.
However, it was also remarkable to some degree due to the speed and efficiency with which the Red Cross Blood Service acted to remedy the situation.
Not only did the organisation immediately launch an investigation into the breach, it swiftly engaged Australia’s Computer Emergency Response Team (AusCERT).
As a paying member of the non-profit organisation, the Australian Red Cross Blood Service was able to get AusCERT and its general manager at the time, Thomas King, on board early to help it stem the fallout of the incident.
From the perspective of King, who has since moved on to become general manager of managed security services at Telstra, the move by the Red Cross Blood Service’s CEO, Shelley Park, to be open and up-front with the public about the breach was an important first step to dealing with the problem.
The organisation even launched a dedicated hotline and organised access to a national identity and cyber support service for concerned donors to find out more information about the incident.
“The Blood Service is an exemplar…of owning the problem, and not trying to deflect it, even though it wasn’t actually fully their fault. A third party let them down; it was human error. It wasn’t a hack,” King told ARN. “Even though that was the case, they owned it, as though it was a hack and it was 100 per cent their responsibility.”
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.