About 550,000 Australia Red Cross blood donor records have been exposed by a Web developer using their Web server like a personal file server.
Blood donations are important, and the Australian Red Cross Blood Service (ARCBS) performs a vital role in our society. (I am an O- blood donor and I encourage any person who is able to donate to do so. In fact, that's my arm in the cover photo for this story.)
Sadly, and disappointingly, despite this good work, ARCBS has inadvertently made 550,000 blood donor, or blood donor applicant, details available to those who had the inclination to trawl the Internet for Web servers that permit directory browsing.
To be clear, this is Australia's largest ever leak of personal data. It is larger than the Catch of the Day breach in 2011 (they only informed customers in 2014), albeit in ARCBS' case no credit card details have been compromised, as the donations are of a different type.
{loadposition david08}ARCBS wrote to donors like myself yesterday to "inform you of a recent data security issue ... if you have, since 2010, made an online inquiry to donateblood.com.au or been a part of our corporate blood donation program there is a possibility this issue concerns you".
Specifically, on 26 October, ARCBS "became aware a file containing donor information was placed in an insecure environment by a third party that develops and maintains the Blood Service’s website. This file contained registration information of 550,000 donors made between 2010 and 2016. Included in the file was information such as names, addresses and dates of birth".
"This information was copied by a person scanning for security vulnerabilities who then, through an intermediary, informed the Australian Cyber Emergency Response Team (AusCERT) with whom the Blood Service has membership.
"With assistance of AusCERT, the Blood Service took immediate action to address the problem. The Blood Service has been in communication with the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.
"IDCARE, a national identity and cyber support service, has assessed the information accessed as of low risk of future direct misuse."
ARCBS went on to state that, to the best of its knowledge, all known copies of the data have been deleted and to state the online forms do not connect to the internal databases which contain more sensitive medical information.
Despite this "best knowledge", local security vendors advocate prudence.
Simon Howe, director of sales ANZ for LogRhythm, states, "Data breaches are damaging. It is unfortunate that the Red Cross could suffer loss of credibility and its donors inconvenienced as a result of the security breach. This is a sobering reminder for all organisations, non-profit included that its success in defending against a data breach is dependent on its level of preparation to respond to a successful intrusion.
"Attackers will successfully compromise systems, but a resulting data breach can be avoided if the organisation detects the intrusion quickly. To do so, and avoid a data breach, they must adopt modern technology that optimally aligns people and process with advanced analytics and workflow automation. Every organisation needs to be prepared for an attack and be able to respond quickly. Red Cross donors would be well advised to change their email passwords and be prepared for malicious emails or phone scams coming their way."
David Higgins, regional director – ANZ, WatchGuard Technologies, said, "This is a common scenario that we hear regularly. Unfortunately it doesn’t take long for an unprotected server to be compromised and more often than not these attacks are automated and random. Malware is everywhere and continuously trawling the Web looking for any network or website vulnerability and so unless a multilayered security approach supported by robust policies is in place, it’s not a case of ‘if’ an organisation will be breached, but ‘when’."
Specifically how the ARCBS breach occurred is explained by Troy Hunt who explains he is the intermediary ARCBS refers to, who contacted AusCERT.
Hunt explains the person who reached out to him had a 1.74Gb database back-up of donor, and donor applicant, data, from the donateblood.com.au Web server. This included more than 1.2 million records in a single donor table, along with another 646 database tables.
This breach was not sophisticated, and the fact it occurred is a disgraceful blight on the Web server security in place.
Specifically, the unnamed person who discovered this data was searching the Internet for publicly exposed Web servers which had directory browsing enabled. It so happened donateblood.com.au was one such website like this.
One such file in the directory listing was a MySQL database back-up.
It is stunning and shocking to think that the people maintaining ARCBS' website were so lacking in diligence and vigilance to have permitted these two things to happen – that directory browsing was enabled to the entire world, and that a database back-up would be saved to an Internet-facing public website folder.
To be clear, ARCBS states this was not the work of its internal team, but a third party partner. Nevertheless, this is how it happened. There was no hard-core attack, no compromising of a server, no brute-force password cracking, no SQL Server injection, but simply the negligence of those who were tasked with the configuration and maintenance of the public server.
It must also be stated that while Hunt and the person who reached out to him state they have destroyed their copy of the data there is no guarantee they were the only people who had a copy. One person discovered the data was available to the Internet and made this known. ARCBS must ask themselves how many people discovered the same database back-up earlier and chose not to divulge this revelation?
If you are affected by the ARCBS leak then you will be contacted, but a dedicated hotline has been established. You can contact the ARCBS and discuss your own personal scenario with an operator via phone 13 95 96 or email data@redcrossblood.org.au.
ARCBS has further arranged access to IDCARE, a national identity and cyber support service, who can provide counselling support from specialist counsellors and information on additional responses that may be unique to your own situation. If you would like to access these services please call 1300 432 273 or visit www.idcare.org.
Although IDCARE assessed the information accessed as of low risk for future direct misuse, there is always a risk that individuals could be contacted by cyber criminals and scammers via email and telephone (including SMS).
One would hope and expect ARCBS will be asking serious questions of its partners. At the same time, one would hope sincerely this experience does not diminish the enthusiasm of existing and potential blood donors. No matter what transpired, the ARCBS performs a vitally important activity and the greatest tragedy would be for donors to withdraw their services.