Blood service reveals accidental data breach
PERSONAL details of more than half a million Australians have been publicly available online for almost two months after an accidental leak.
The breach, labelled the country’s biggest personal data leak, was revealed by the Australian Red Cross Blood Service yesterday.
The organisation’s web developer unintentionally placed a back-up copy of an online inquiry form on an unsecured website in early September.
The data was accessed once this week by a member of the public before the Australian Cyber Emergency Response Team was notified and killed the site on Wednesday.
“It’s not something you could Google but it’s a website that, when someone is provided with the link, they might be able to access,” Red Cross Blood Service spokesman Shaun Inguanzo said.
The organisation’s chief executive Shelly Park apologised unreservedly for the breach, which included names and addresses of donors dating back to 2010.
“I wish to stress that this file does not contain the deep, personal records of people’s medical history or their test results,” she said.
Cyber security expert Troy Hunt was the person who contacted AusCERT after some- one else gave him the data.
“In terms of the numbers of records we’ve seen from an Australian organisation (more than 1.2 million), there’s no data breach I’m aware of that’s larger than this,” he said.
Mr Hunt and his wife are blood donors, and their names, address, dates of birth, phone numbers and email addresses were included in the leak.
Red Cross Blood Service said its systems were secure and, to its knowledge, all copies of data had been deleted.
ID Care, Australia and New Zealand’s National Identity Support Service, believed the data was at a low risk of future misuse.
Mr Hunt did not believe the person who found it was targeting the Red Cross. The blood service is notifying all affected donors, who can also call 13 95 96 or visit info.donateblood.com.au