Wednesday, 2 November 2016

Yet another example of why the Australian Government's desire for the ultimate big data pool of citizen' personal information is a bad idea


This time it was the Australian Red Cross releasing 1.28 million donor records, containing first name, last name, gender, physical address, email address, phone number, date of birth, blood type, previously blood donations, country of birth, when record was created, type of donation, date of donation and donor eligibility answers including any sexually transmitted disease or drug use history.

This information was publicly available for viewing and download from 5 September to 26 October 2016.
           
IT News, 28 October 2016:

More than one million personal and medical records of Australian citizens donating blood to the Red Cross Blood Service have been exposed online in the country’s biggest and most damaging data breach to date.
A 1.74 GB file containing 1.28 million donor records going back to 2010, published to a publicly-facing website, was discovered by an anonymous source and sent to security expert and operator of haveibeenpwned.com Troy Hunt early on Tuesday morning.
The database was uncovered through a scan of IP address ranges configured to search for publicly exposed web servers that returned directory listings containing .sql files.
The contents of the 'mysqldump' database backup contains everything from personal details (name, gender, physical and email address, phone number, date of birth and occasionally blood type and country of birth) to sensitive medical information, like whether someone has engaged in at-risk sexual behaviour in the last year.
The database collected information submitted when an individual books an appointment - either on paper or online - to donate blood. The process requires donors to enter their personal details and fill out an eligibility questionnaire.
It does not contain data on blood reports or analyses, or responses to the full donor questionnaire all blood bank visitors are required to fill out at the time of their donation.
The database was published on the webserver of a Red Cross Blood Service technology partner that maintains the service's website, not the organisation’s www.donate.blood.com.au site where online bookings are made.
"This is a seriously egregious cock-up - this should never happen," Hunt told iTnews.
"There are no good reasons to put database backups on a publicly-facing website." The issue was compounded by the fact that directory browsing was enabled on the server, he said.
The file was removed on Wednesday. Hunt said there was no evidence of it having been accessed by anyone else, and both he and the anonymous source had deleted their copies.
Australia’s computer emergency response team, AusCERT, has been working with the Red Cross after being notified to the breach by Hunt on Tuesday.
The Red Cross indicated around 550,000 individual donors were impacted.
It attributed the issue to "human error" and said it was "deeply disappointed" to be in this position.
The service has started notifying affected donors today.

The Australian, 29 October 2016:
The Red Cross admitted it did not know how many people had accessed the information, which was publicly available from September 5 until Wednesday.
The breach was revealed by an unknown person who alerted Microsoft employee Troy Hunt, who runs a data breach notification service. Mr Hunt reported the breach to cyber-threat group AusCert, which in turn alerted the Red Cross.
The incident is being investigated by the Australian Federal Police, the Department of Health and the Australian Privacy ­Commission.
Red Cross Blood Service chief executive Shelly Park yesterday urged people to continue ­donating blood, saying information was now secure. “To our knowledge, all known copies of the data have been ­deleted. However, investigations are continuing,” Ms Park said.
But Mr Hunt said there was no guarantee the information had been completely erased, adding the breach was the latest ­illustration of how basic mistakes are key contributors to ­personal data being accessed by others.
“There was nothing new in how this data was accessed, this was just plain, old stupidity,” he said. “The real question this raises is should this data have been ­retained in the first place and why a third party needed the information at all.”
According to breachlevelindex.com in the first half of 2016 the Asia Pacific Region experienced 76 significant data breaches, 22 of which were in Australia.
Earlier this year: a Menulog exposed breach exposed 1.1 million records containing customer names, addresses, order histories and phone numbers [the exact quote in the CIO Australia article linked to here was "suffered from a breach of 1.1 million records leaving customer names, addresses, order histories and phone numbers exposed"- The Ideas Suite public relations agency acting on behalf of Menulog 
contacted North Coast Voices and would prefer to characterize this breach as "A former Menulog employee stumbled upon the private details of the company's customers, including customer names and email addresses". It is noted that the journalist quoted does not appear to have been asked by this agency to amend the original 21 September 2016 CIO Australia article as it remains as first published]; a malicious hacked dump of 67,118 Shadi.com customer records, recruitment agency Sarina Russo exposed client financial records which were dumped in a bin next to the office; disability information on nearly 7,000 current/former Sydney University students was exposed; customer accounts details on The Sydney Morning Herald and The Age digital editions, the Do Not Call Register and industry group CompTIA were also breached.

Also in 2016: the Australian Bureau of Statistics released contact names linked to more than 5,000 Queensland businesses in what was described as a “human error”; the Health Department was forced to remove data from its website amid an investigation into whether personal information has been compromised; and the Australian Public Service Commission confirmed it had withdrawn data gathered in its massive annual employee census from public view – but not before the data set containing the details of 96,700 federal public servants has been accessed by unknown persons 58 times. The Queensland Dept. of Premier and Cabinet and Dept. of Tourism were also maliciously hacked - along with the Maitland office of the NSW Dept. of Resources and Energy

In the 2015-16 financial year Victoria Police had 453 "information security incidents"  up 36 per cent on the year before, with 27 incidents of police officers inappropriately accessing computer systems (including the Law Enforcement Assistance Program LEAP) and 40 instances of police data released without authorisation.


In 2015 K-Mart Australia’s online shopper database was hackedPayroll systems were breached, harvesting extensive personal details (including names, address, dates of birth, tax file numbers, bank account details, gross earnings and superannuation funds and membership numbers) of up to 500 workers a day and the information used to lodge fraudulent tax returns with the Australian Taxation Office.

Additionally in 2015 Telstra customer’s admin and user credentials were stolen - including those of the Australian Federal Police. Similarly, the Patagonia Clothing Company, Aussie Farmers, David Jones, Queensland TAFE experienced data breaches where personal information was hacked and, 31,140 Optus customers’ had their personal and credit history information publicly posted on the website freelancer.com by the debt collection agency ARC Merchantile.

In 2014 Centrelink left revealing personal and financial details of clients lying around at a suburban railway station and the Department of Immigration and Border Protection unlawfully disclosed the personal information of approximately 9,250 asylum seekers by publishing a word document on a public page of the department’s website.

An estimated 800 million records were lost in 2014, mainly through cyber-attacks, and such attacks are thought to cost large Australian enterprises an average of $8.3 million a year.

With this unhealthy mix of ongoing institutional incompetence and determined malicious hacking risking the privacy of so much personal information, is it any wonder that concerned individuals look on the Turnbull Government’s drive to create a national database - which it will continuously update with additional medical, legal, financial, social and family information on each person born and/or residing in this country – as a gigantic honey hive ripe for the robbing?

Oh, and in case social media users are feeling comfortable about their own privacy on major online platforms – in June 2016 the Facebook application known as Uiggy was hacked and 4.3 million accounts were exposed along with names, genders, and Facebook IDs (2.7 million of which had email addresses against them) and on 27 October 2016 there was a Pastebin dump of 32 million Twitter accounts along with an invitation to use the details to hack further.

No comments: