Red Cross in Australia Carelessly Let Happen Country's Largest Data Breach
01.11.2016
The first person who informed about a large-scale leakage of data in his blog was Troy Hunt, head of the Microsoft regional office, information security expert and founder of the website Have I Been Pwned. An unnamed user contacted him on Twitter and said that he had possessed personal data from the registration form of the Australian Red Cross website. As evidence, the anonymous also sent Hunt’s own data from the donor’s online profile: gender, name, phone number, email address, date of birth, and date of the last visit to the donor center. It later turned out that the information about his wife, who more frequently donated blood, had been more complete and had also included home address and information about her blood group. Eventually, the source sent Hunt the entire database of 1.74 GB. Personal data of 550 thousand donors was compromised.  These are the donors who filled out a standard questionnaire on-line form on the site from 2010 to 2016. Hunt reported the incident to the Australian response group AusCERT. At the Red Cross press conference in Melbourne, the head of the Australian Red Cross community admitted that the data leakage had occurred because of a human error. Preliminary investigation revealed: the database backup was stored on the developer's site, and a third party person who was responsible of the website technical support had an access to it. According to Hunt, this is the most large-scale data leakage in Australia that happened by inadvertence. Representatives of the Red Cross noted that the data did not contain any medical information about donors' health status and results of blood tests. Hunt also said that the questions in the donor questionnaire were generally harmless and involved, for example, questions about weight of donor, latest tattoos or information about visiting the dentist. However, there is also the question: “Have you had an unprotected sex in the last 12 months?”. Security experts, whom the Red Cross approached for help, believe that it is highly unlikely that the data was or will be used for the profit. The user, who sent the database to Hunt, deleted the file. The founder of the website Have I Been Pwned is confident that the user did not have any malicious intent. Nevertheless, the Red Cross sent all donors who filled out the registration form on the site a warning message about possible misuse of their data.
Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyberincidents.