Australian Information Commissioner praises Red Cross for data breach response

Last October, the Australian Red Cross Blood Service had 1.74 GB of backup data compromised. This reportedly included 1.3 million rows and 645 tables containing personal information belonging to some 550,000 online blood donor applications.

The following details were reportedly made publicly available: Name; Gender; Postal address; Email address; Gender; Phone number; Date of Birth; Country of Birth; Blood Type; Type of donation.

Other information relating to blood donations like donor eligibility answers and appointments were also revealed. Some of this can certainly be classed as very sensitive information indeed.

Discovery of the breach

Security researcher, Troy Hunt, confirmed that the wrongfully disclosed information was published online and publicly available, with Hunt and his wife finding their own information on the web for all to see. Hunt blogged about the breach and the steps taken to publicly disclose the incident to provide information and advice for those affected.

Hunt reportedly discovered the breach through his position as owner of HaveIBeenPwned.com; a website that lets people check if their email or domain has been hacked or compromised. One user contacted Hunt with the information listed above, and Hunt contacted the Australian Computer Emergency Response Team (CERT) to handle the data breach.

CERT did not delay in contacting the Red Cross who issued a public statement in response to the breach. CEO of the Australian Red Cross Blood Service, Shelly Park, apologised for the breach in a statement:

“We are extremely sorry. We are deeply disappointed to have put our donors in this position.”

Human error the cause

Park told journalists that “the issue occurred due to human error. The back-up file contained 550,000 people who completed a web form to access a donation between 2010 and 2016.” Park explained that the organisation was taking advice from the Australian Cyber Security Centre and were notifying donors of the breach.

The Australian Information commissioner was notified of the breach and conducted their own investigations.

Sensitive information disclosed

Even though the breach was accidental, the huge amount of data can still put thousands of people at risk. “It’s highly unlikely there was a valid reason for them to provide the partner with such an extensive amount of data and I’m sure there will be many questions asked as to how so much information should have been shared in the first place and indeed how much is shared in the future,” noted Hunt.

He further addressed concerns of the sensitive nature of the eligibility answers provided as the application process asks about recent drug use, sexual activity and surgical procedures. Hunt calculated that around 7,343,537 answers were publicly disclosed along with the applicant’s name and contact information.

Regulators investigations concluded

The Australian ICO have now concluded their investigations and commended the Red Cross Blood Service for the way they handled the data breach.

Timothy Pilgrim (Acting Australian Information Commissioner) said he was confident that the organisation was committed to being “honest with the public, upfront with my office, and have taken responsibility at every step of this process.”

Pilgrim recognises that no organisation is impenetrable, so in most cases, it depends on how a breach is handled to ensure damage to victims is managed and mitigated.