Australian Red Cross Data Breach Exposes 550,000 Blood Donors' Personal Information


The Australian Red Cross Blood Service recently apologized after 550,000 blood donors' personal information was mistakenly exposed online.

The breach appears to be the largest in the country's history.

The information exposed included the names, genders, email addresses, mailing addresses, phone numbers, and birthdates of people who donated blood between 2010 and 2016. It also included answers to the question, "In the last 12 months, have engaged in at-risk sexual behavior?"

The data was accessible from September 5 to October 25, 2016, and was accessed on October 24, 2016 by someone scanning for security vulnerabilities, who notified Troy Hunt of the data breach notification service Have I Been Pwned of the flaw.

A third party service provider that maintains the Blood Service's website had mistakenly placed a database backup containing the information on an insecure Web server.

"The database backup was published to a publicly facing website," Hunt explained in an analysis of the breach. "This is really the heart of the problem because no way, no how should that ever happen. There is no good reason to place database backups on a website, let alone a publicly facing one."

"Working with AusCERT, a cyber security organization who provides information and security advice to us as a member of their service, we have managed to have all known copies of the archive deleted, and have removed the vulnerability from the Web developer's server," the Blood Service stated in a FAQ.

Prevalent director of product management Jeff Hill told eSecurity Planet by email that the Blood Service breach points to the integral role third parties play in organizational operations today. "Like the Red Cross, how many enterprises outsource a basic function such as website development and maintenance to a vendor? Probably most," he said. "How many websites collect data from customers, some of which is sensitive? Probably most. How many organizations pay little attention to the risk posed by an ever-expanding portfolio of vendors, including their website developers? Probably most."

Last month, a group of tech companies announced the formation of the Vendor Security Alliance (VSA), a coalition aimed at helping businesses streamline their vetting processes for third party vendors' cyber security risks. Member companies include Uber, Airbnb, Atlassian, Docker, Dropbox, GoDaddy, Palantir, Square and Twitter.

"Bringing together top security experts and experienced compliance officers in an unprecedented way, the VSA will release a yearly security and compliance questionnaire to benchmark vendor risk," the VSA said in a statement. "This will establish clear expectations and a unified set of requirements for vendors. Companies can leverage this questionnaire to measure and mitigate vendor risk, ensuring they can consistently evaluate potential vendors using a predetermined set of criteria, controls and practices."

Earlier this year, a NAVEX Global survey of 321 profesionals involved in third party management found that 32 percent of respondents don't evaluate third parties at all before engaging with them, and 11 percent don't even know how many third party vendors they work with.

"Though many organizations know which third party failures they should fear, they have not built sufficient programs and processes to identify and manage those risks," NAVEX Global vice president for advisory services and report author Randy Stephens said at the time.

A recent eSecurity Planet article suggested five best practices for reducing third-party security risks.