Red Cross has inadvertently leaked the personal information of 550,000 blood donors after publishing a backup database containing the data onto a publicly exposed web server. Security expert Troy Hunt has labelled this Australia's largest ever leak of personal and criticised Red Cross' security practices. Here's exactly what kind of data was included in the database.
Hunt runs the website Have I Been Pwned which tracks security breaches that expose confidential data. Earlier this week, through a tip off, he obtained that 1.76GB worth of data from donateblood.com.au which is run by the Red Cross. It was a database that contained 1.28 million records. After weeding out the duplicate entries, he found the database contained the personal information of around half a million blood donors.
Red Cross has confirmed there was approximately 550,000 people on the database. iTNews has since revealed that the error was caused by one of Red Cross' IT contractors Precedent. The company was responsible for redesigning and maintaining the donateblood.com.au website.
The way the data was obtained was laughably easy. Someone just scanned IP addresses online for exposed web servers and looked for files with the .sql extension for database backups.
"The database backup was published to a publicly facing website. This is really the heart of the problem because no way, no how should that ever happen," Hunt said in a blog post. "There is no good reason to place database backups on a website, let alone a publicly facing one. There are many bad reasons (usually related to convenience), but no good ones."
Here's the list of information that could be found on the exposed Red Cross database:
- First name
- Last name
- Physical address
- Email address
- Phone number
- Date of birth
- Blood type
- If they'd previously donated
- Country of birth
- When their record was created
- The type of donation (Plasma, Plasmapheresis, Platelet, Plateletpheresis, Whole Blood)
- When each donation occurred
- Donor eligibility answers
We don't know who has a copy the data from the compromised database and Troy Hunt has alerted the Red Cross and AusCert about this issue. Red Cross will be contacting affected donors.
This is the SMS they are sending out to potentially affected donors: