Red Cross Leaks Personal Data Of 550,000 Blood Donors In Australia’s Biggest Data Breach

Red Cross has inadvertently leaked the personal information of 550,000 blood donors after publishing a backup database containing the data onto a publicly exposed web server. Security expert Troy Hunt has labelled this Australia’s largest ever leak of personal and criticised Red Cross’ security practices. Here’s exactly what kind of data was included in the database.

Hunt runs the website Have I Been Pwned which tracks security breaches that expose confidential data. Earlier this week, through a tip off, he obtained that 1.76GB worth of data from which is run by the Red Cross. It was a database that contained 1.28 million records. After weeding out the duplicate entries, he found the database contained the personal information of around half a million blood donors.

Red Cross has confirmed there was approximately 550,000 people on the database. iTNews has since revealed that the error was caused by one of Red Cross’ IT contractors Precedent. The company was responsible for redesigning and maintaining the website.

The way the data was obtained was laughably easy. Someone just scanned IP addresses online for exposed web servers and looked for files with the .sql extension for database backups.

“The database backup was published to a publicly facing website. This is really the heart of the problem because no way, no how should that ever happen,” Hunt said in a blog post. “There is no good reason to place database backups on a website, let alone a publicly facing one. There are many bad reasons (usually related to convenience), but no good ones.”

Here’s the list of information that could be found on the exposed Red Cross database:

  1. First name
  2. Last name
  3. Gender
  4. Physical address
  5. Email address
  6. Phone number
  7. Date of birth
  8. Blood type
  9. If they’d previously donated
  10. Country of birth
  11. When their record was created
  12. The type of donation (Plasma, Plasmapheresis, Platelet, Plateletpheresis, Whole Blood)
  13. When each donation occurred
  14. Donor eligibility answers

We don’t know who has a copy the data from the compromised database and Troy Hunt has alerted the Red Cross and AusCert about this issue. Red Cross will be contacting affected donors.

This is the SMS they are sending out to potentially affected donors:

[Troy Hunt]

The Cheapest NBN 50 Plans

Here are the cheapest plans available for Australia’s most popular NBN speed tier.

At Lifehacker, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.


5 responses to “Red Cross Leaks Personal Data Of 550,000 Blood Donors In Australia’s Biggest Data Breach”