Red Cross left database backups exposed online

Oct 28, 2016 13:30 GMT  ·  By

The Australian Red Cross Blood Service is now in possession of the title of "Australia's biggest data breach," after admitting to exposing 1.2 million donor records, for around 550,000 different individuals.

According to Troy Hunt, founder of data breach index site Have I Been Pwned, the cause of the breach was a database backup file that was published inside a publicly accessible web directory.

Left exposed by one of the Red Cross' partners, the file was eventually discovered by an unknown individual who, after realizing what he stumbled upon, provided the data to Hunt, so he could index it on his site and disclose it to the organization.

550,000 Australians affected

An analysis of the data revealed that the 1.74GB database backup file contained 1,286,366 records spread across 647 different database tables. After removing duplicates (persons who donated more than once), Hunt says the database backup file contained the personal records of over 550,000 Australians.

The type of data exposed in the leak includes details such as first and last names, gender, email address, home address, phone numbers, date of birth, country of birth, blood type, if they'd previously donated, when the person had been indexed in the database, date of the donation, donation type (plasma, plasmapheresis, platelet, plateletpheresis, whole blood), and donor answers.

Hunt says that some donor answers were for very sensitive questions, such as "In the last 12 months, have you engaged in at-risk sexual behavior?"

Red Cross admits to blunder

In the following days after receiving and analyzing the data, Hunt worked with AusCERT (Australia Computer Emergency Response Team), who informed the local Red Cross branch of its leak, and collaborated with the organization to have it secured.

The Australian Red Cross Blood Service admitted to the breach and is currently in the midst of notifying all the people whose data was exposed in the incident.

Both the source and Hunt said they deleted the data from their systems. Hunt also refused to load the data in the Have I Been Pwned? search engine, the second time he decided to take this action after previously deleting the Vtech leaked data because it contained the personal details of small children.