Australia has seen its largest data breach ever recently. Over a million medical and personal records belonging to Australian citizens has been found online.
It happened that 1.28 million donor records contained in a 1.74 GB file were sent to security expert and operator of haveibeenpwned.com, Troy Hunt by an anonymous party on Tuesday. The anonymous source told Hunt that the database was found through scanning IP address ranges that search for exposed web servers.
The file holds everything from personal information to medical records containing sensitive information. The database gathered information from an online form that has to be filled out prior to being able to donate blood. The possible donors had to fill out a form and questionnaire with personal information as well as list sensitive information like any high risk sexual behavior. What the records do not contain are blood reports and analyses findings, or responses from the full donor questions that all donors have to answer at the time of the donation.
The database was published on the server of the Red Cross Blood Service partner that maintains the website.
“This is a seriously egregious cock-up. This should never happen. There are no good reasons to put database backups on a publicly facing website,” Hunt said in an interview.
He also commented that directory browsing was enabled on the server as well. The file was removed on Wednesday, and the blood service stated that it was available from September 5th, 2016 to October 25th, 2016.
“There is no evidence of the file having been accessed by anyone else, and both copies have been destroyed,” Hunt commented further.
AusCERT or Australia’s computer Emergency Response Team has been working with the Red Cross to figure out exactly what has happened, and if anyone else has obtained the database. The Red Cross said that over 55,000 people were impacted by this carelessness. The incident has been said to be the fault of human error and that it was a deep disappointment to be in the position they are in. The Red Cross has begun notifying donors today.
“We are extremely sorry and deeply disappointed to have put our donors in this positon. We apologize and take full responsibility for this,” Shelly Park, Red Cross Blood Service Chief executive stated. “I want to assure our valued donors that we are doing absolutely everything to right this, and we will ensure that we are in the position that this will never happen again.”
Due to the extreme amount of records, this breach is the largest leak in Australia. It’s also the first-time sensitive medical details of Australians has been leaked at such a large number, online.
Hunt urges people not to let this stand in their way when it comes to being a donor again.
“The bigger picture here is that this is lifesaving stuff. I’ve registered an appointment for Monday through the site and entered all my legitimate information and try to encourage people to donate,” Hunt said.
The Privacy Commissioner, Timothy Pilgrim has also said he will be investigating the breach and report his findings publicly:
I welcome the Red Cross’ prompt actions to prevent any further disclosure of this highly sensitive personal information. My office encourages voluntary notifications of data reaches, particularly where there is a risk to an individual as a result of the breach. This is good privacy practice as it gives individuals the opportunity to take proactive steps to protect their personal information and also helps to protect an organization’s reputation by displaying transparency.