The Australian Red Cross Blood Service has apologised to donors after a backup of a key database was placed on a publicly accessible web server.
The file contained details including registration data from 550,000 donors, including blood type, name, contact details, date of birth and gender. Security pro Troy Hunt, creator of Have I been pwned?, said he notified AusCERT of the breach after he was contacted by an unnamed third party with evidence of the breach.
In a blog entry Hunt said that the individual who discovered the breach had been scanning web servers for SQL dumps.
The Blood Service said in a statement that it had contacted the Australian Cyber Security Centre and the Australian Federal Police and notified the Office of the Australian Information Commissioner (OAIC) of the “potential breach”.
”The Australian Red Cross Blood Service has advised my office of a data breach from the DonateBlood website,” Privacy Commissioner Timothy Pilgrim said. “In doing so, Red Cross has provided details of what occurred and steps taken to contain the breach. I welcome their prompt actions to prevent any further disclosure of this highly sensitive personal information.”
“I will be opening an investigation into this matter and will work with
the Red Cross to assist them in addressing the issues arising from this
incident,” Pilgrim said.
“To our knowledge all known copies of the data have been deleted. However investigations are continuing,” CEO Shelly Park said.
“We are incredibly sorry to our donors. We are deeply disappointed this could happen. We take full responsibility and I assure the public we are doing everything in our power to not only right this but to prevent it from happening again,” Park said.
“We need your continued support to donate blood and feel confident that this will not reoccur in the future.”
The service has launched a website for donors to find out more information.
The service has also notified donors, including via SMS messages sent out this afternoon.
In his blog entry Hunt wrote that the breach “should not discourage anyone from giving blood in the future because as important as this incident is, it pales in comparison to making a donation that could save lives”.