Red Cross data theft: personal info of 550,000 blood donors exposed to the masses

The private lives of half a million Australians – including sexual and medical histories – have been made public in what could be one of the country’s largest data breaches.

Australian Red Cross Blood Service staff are contacting more than 550,000 blood donors whose personal information was contained in a file accidentally placed on an unsecured, public-facing part of their website.

Massive Red Cross breach

A file containing the details of over 550,000 Red Cross blood donors and donor applicants has been leaked. Courtesy ABC News 24.

The information relates to donors from 2010 to 2016 and includes names, addresses and dates of birth as well as sensitive donation eligibility questions concerning sexual activity, drug use, weight and medical conditions.

The Australian Privacy Commissioner will launch an investigation and a human rights lawyer says those affected may be able to make a claim for damages.

red-cross-data-breach image www.intelagencies.com

The breach of data comes from the Australian Red Cross Blood Service and dates back to 2010. Photo: Dallas Kilponen

Australian Red Cross Blood Service image www.intelagencies.com

A text message sent to people potentially affected by the Red Cross data breach. Photo: Supplied

Red Cross Blood Service chief executive Shelly Park blamed human error by a contractor running the organisation’s website for the breach but said the information was considered to have a low risk of direct misuse in the future.

The data was available online since early September and is believed to have been accessed on Monday, October 24.

Investigations are continuing and the Australian Federal Police and Australian Cyber Security Centre have been informed of the breach.

“On October 26, we learnt that a file, containing donor information,which was located on a development website, was left unsecured by a contracted third party who develops and maintains our website,” Ms Park said.

“The issue occurred due to human error. Consequently, this file was accessed by a person outside of our organisation.”

Ms Park said the organisation had engaged cyber security experts to investigate how it was “caught out” and was in the process of notifying donors affected.

Donors affected have been warned there is an increased risk to their online security and that they should be on the look out for phone and email scams.

“We are extremely sorry. We are deeply disappointed to have put our donors in this position,” Ms Park said.

Microsoft employee and technology blogger Troy Hunt, who runs a data breach notification service, reported the person who gained access to the information had contacted him, revealing Mr Hunt’s own personal details and a 1.74GB data file containing the records.

His name, email, gender, date of birth, phone number and date of last donation were disclosed in the file.

This was also the case with his wife, whose file also contained her blood type and their home address.

“The database backup was published to a publicly facing website. This is really the heart of the problem because no way, no how should that ever happen,” he wrote in a blog post.

Mr Hunt said he had deleted his copy of the information and the person who gave it to him had agreed to do the same. The Red Cross said, to their knowledge, “all known copies of the data have been deleted”.

Some exposed data could contain the highly sensitive eligibility questions, including: “In the last 12 months, have you engaged in any at-risk sexual behaviour?”

Beautiful_Russian_2_728_90ooo

Donors are also asked if they have ever injected recreational drugs, are on antibiotics, if they are under or overweight and if they have undergone any surgical procedures.

Australian Privacy Commissioner Timothy Pilgrim announced a probe into the breach on Friday afternoon.

“I will be opening an investigation into this matter and will work with the Red Cross to assist them in addressing the issues arising from this incident.

“The results of that investigation will be made public at its conclusion,” he said in a statement.

“My office encourages voluntary notification of data breaches, particularly where there is a risk to an individual as a result of a breach.”

Human Rights lawyer George Newhouse said the privacy commissioner had the power to order damages and apologies.

Adjunct Professor Newhouse also said his office was considering mounting legal action for those affected.

“We’re looking into a class action on behalf of those who have had their data unlawfully accessed,” he said.

“On the basis that they’ve had their privacy breached.”

Even basic personal information could lead to identity fraud but it was worse for anyone who’s sexual or medical history had been compromised, he said.

“This is highly sensitive personal information that could cause enormous embarrassment to people in their personal and work lives. This incident highlights how vulnerable organisations and individuals are to unauthorised access.”

A Health Department spokeswoman said she was confident the blood service would recover.

“The ARCBS is a long-standing institution who are charged with ensuring a viable donor base, safe collection, processing and distribution of blood and blood products,” she said.

“We are confident that the ARCBS will be able to recover from this incident, build the confidence of the donor base and ensure that the safety and security of their systems are robust and compliant with privacy and confidentiality requirements.”

The AFP and the Australian Cyber Security Centre referred questions about their involvement to the Health Department.

If people have privacy concerns about this incident they can contact the privacy commissioner’s office for free confidential advice on enquiries@oaic.gov.au or 1300 363 992 or contact the Red Cross Blood Service through a dedicated hotline.

GJVTooo

Henry Sapiecha

Leave a Reply

Your email address will not be published. Required fields are marked *