This time it was the Australian Red Cross releasing 1.28 million donor records, containing first name, last name, gender, physical address, email address, phone number, date of birth, blood type, previously blood donations, country of birth, when record was created, type of donation, date of donation and donor eligibility answers including any sexually transmitted disease or drug use history.
This information was publicly available for viewing and download from 5 September to 26 October 2016.
More than one million personal and medical records of Australian citizens donating blood to the Red Cross Blood Service have been exposed online in the country’s biggest and most damaging data breach to date.
A 1.74 GB file containing 1.28 million donor records going back to 2010, published to a publicly-facing website, was discovered by an anonymous source and sent to security expert and operator of haveibeenpwned.com Troy Hunt early on Tuesday morning.
The database was uncovered through a scan of IP address ranges configured to search for publicly exposed web servers that returned directory listings containing .sql files.
The contents of the 'mysqldump' database backup contains everything from personal details (name, gender, physical and email address, phone number, date of birth and occasionally blood type and country of birth) to sensitive medical information, like whether someone has engaged in at-risk sexual behaviour in the last year.
The database collected information submitted when an individual books an appointment - either on paper or online - to donate blood. The process requires donors to enter their personal details and fill out an eligibility questionnaire.
It does not contain data on blood reports or analyses, or responses to the full donor questionnaire all blood bank visitors are required to fill out at the time of their donation.
The database was published on the webserver of a Red Cross Blood Service technology partner that maintains the service's website, not the organisation’s www.donate.blood.com.au site where online bookings are made.
"This is a seriously egregious cock-up - this should never happen," Hunt told iTnews.
"There are no good reasons to put database backups on a publicly-facing website." The issue was compounded by the fact that directory browsing was enabled on the server, he said.
The file was removed on Wednesday. Hunt said there was no evidence of it having been accessed by anyone else, and both he and the anonymous source had deleted their copies.
Australia’s computer emergency response team, AusCERT, has been working with the Red Cross after being notified to the breach by Hunt on Tuesday.
The Red Cross indicated around 550,000 individual donors were impacted.
It attributed the issue to "human error" and said it was "deeply disappointed" to be in this position.
The service has started notifying affected donors today.
The
Red Cross admitted it did not know how many people had accessed the
information, which was publicly available from September 5 until Wednesday.
The
breach was revealed by an unknown person who alerted Microsoft employee Troy
Hunt, who runs a data breach notification service. Mr Hunt reported the breach
to cyber-threat group AusCert, which in turn alerted the Red Cross.
The
incident is being investigated by the Australian Federal Police, the Department
of Health and the Australian Privacy Commission.
Red
Cross Blood Service chief executive Shelly Park yesterday urged people to
continue donating blood, saying information was now secure. “To our knowledge,
all known copies of the data have been deleted. However, investigations are
continuing,” Ms Park said.
But
Mr Hunt said there was no guarantee the information had been completely erased,
adding the breach was the latest illustration of how basic mistakes are key
contributors to personal data being accessed by others.
“There
was nothing new in how this data was accessed, this was just plain, old
stupidity,” he said. “The real question this raises is should this data have
been retained in the first place and why a third party needed the information
at all.”
According to breachlevelindex.com in the first half of 2016 the Asia Pacific Region experienced 76 significant data breaches, 22 of which were in Australia.
Earlier this year: a Menulog exposed breach exposed 1.1 million records containing customer names, addresses, order histories and phone numbers [the exact quote in the CIO Australia article linked to here was "suffered from a breach of 1.1 million records leaving customer names, addresses, order histories and phone numbers exposed"- The Ideas Suite public relations agency acting on behalf of Menulog
contacted North Coast Voices and would prefer to characterize this breach as "A former Menulog employee stumbled upon the private details of the company's customers, including customer names and email addresses". It is noted that the journalist quoted does not appear to have been asked by this agency to amend the original 21 September 2016 CIO Australia article as it remains as first published]; a malicious hacked dump of 67,118 Shadi.com customer records, recruitment agency Sarina Russo exposed client financial records which were dumped in a bin next to the office; disability information on nearly 7,000 current/former Sydney University students was exposed; customer accounts details on The Sydney Morning Herald and The Age digital editions, the Do Not Call Register and industry group CompTIA were also breached.
No comments:
Post a Comment