Red Cross has inadvertently leaked the personal information of 550,000 blood donors after publishing a backup database containing the data onto a publicly exposed web server. Security expert Troy Hunt has labelled this Australia’s largest ever leak of personal and criticised Red Cross’ security practices. Here’s exactly what kind of data was included in the database.
Hunt runs the website Have I Been Pwned which tracks security breaches that expose confidential data. Earlier this week, through a tip off, he obtained that 1.76GB worth of data from donateblood.com.au which is run by the Red Cross. It was a database that contained 1.28 million records. After weeding out the duplicate entries, he found the database contained the personal information of around half a million blood donors.
Red Cross has confirmed there was approximately 550,000 people on the database. iTNews has since revealed that the error was caused by one of Red Cross’ IT contractors Precedent. The company was responsible for redesigning and maintaining the donateblood.com.au website.
The way the data was obtained was laughably easy. Someone just scanned IP addresses online for exposed web servers and looked for files with the .sql extension for database backups.
“The database backup was published to a publicly facing website. This is really the heart of the problem because no way, no how should that ever happen,” Hunt said in a blog post. “There is no good reason to place database backups on a website, let alone a publicly facing one. There are many bad reasons (usually related to convenience), but no good ones.”
Here’s the list of information that could be found on the exposed Red Cross database:
- First name
- Last name
- Gender
- Physical address
- Email address
- Phone number
- Date of birth
- Blood type
- If they’d previously donated
- Country of birth
- When their record was created
- The type of donation (Plasma, Plasmapheresis, Platelet, Plateletpheresis, Whole Blood)
- When each donation occurred
- Donor eligibility answers
We don’t know who has a copy the data from the compromised database and Troy Hunt has alerted the Red Cross and AusCert about this issue. Red Cross will be contacting affected donors.
This is the SMS they are sending out to potentially affected donors:
Comments
5 responses to “Red Cross Leaks Personal Data Of 550,000 Blood Donors In Australia’s Biggest Data Breach”
We need confirmation that the company that cocked up that badly has been sacked.
There must be some serious penalty for this kind of stuff.
Contractor found. I’ve updated the article 🙂
I love the SMS… It effects you so click the unsolicited mysterious link sent to you, go on CLICK IT!!!
How many people have ignored that message thinking its a scam ???
That’s what I thought as well when I saw the message.
Their facebook page posted this earlier today, A lot of people don’t seem to care about the information leaked? They say you can get half that info on white pages (which i don’t think you can) anyway this info is the basis of identity fraud. One or two peoples details is nothing but when you have a few thousands options you try and sign up to services like credit cards ,etc. Maybe you get a 1 in 100 success that’s still bad enough. People SHOULD be upset about this, People are putting both their time and their bodies on the line to donate vital resources and this is how people are repaid? A chocy milk, a biscuit and your personal information leaked.
It’s not going to stop anyone from donating imo (self included) but I think people will be a little more cautious when filling out that form perhaps.