Personal information of some 550,000 Australian blood donors has been sitting exposed on a web developer’s server and has been downloaded by a person who effectively stumbled on it.
The person contacted Troy Hunt of the Have I Been Pwned (HIBP) online service, and has passed the information to him to choose what to do next.
Hunt contacted AusCERT, who then took on the responsibility to work with the Red Cross Blood Service to solve the issue.
The leaked data came in the form of a database backup, and the file contains over 1.2 million records for over half a million donors. These records include their name, date of birth, blood type, phone and email address, real world address, but also personal information about their health, and potentially sensitive information about their sexual activity in the last year.
The Red Cross Blood Service pinned the blame for the leak on the third party that develops its website, and that the file includes info on individuals who donated blood between 2010 and 2016.
Apparently, the file was exposed on the server from 5 September 2016 to 25 October 2016.
As Hunt explains it, the 1.74GB database backup file was published to a publicly facing websitem and the server had directory browsing enabled on it. The individual that took the file simply exploited this function, saw the file, guessed its contents, and downloaded it.
He didn’t include the leaked data in his HIBP service, as Red Cross Blood Service took it upon themselves to notify each affected donor directly.
They have also fixed the security hole through which the data was exfiltrated.
The person who took the file says that he didn’t sell or give the file to anyone else, and that he has destroyed it. Hunt did the same.
The Service is still investigating if someone else exfiltrated the data.
“If organisations don’t track where their data is moving and who holds it, it’s only a matter of time before a damaging breach occurs. With sensitive data often passing between multiple companies during partnerships and sales, it’s essential that organisations have a data-centric security strategy in place to ensure that data is secure wherever it goes,” Steve Murphy, senior vice president EMEA at data giant Informatica, commented for Help Net Security.
“The cost of poor data security is now far more than just financial. Consumers are sharing more and more personal information with a wide range of organisations, from medical trusts to e-vendors. As a result, businesses which fail to secure that data risk inadvertently exposing their customers to blackmail, impersonation and scams – not to mention the reputational damage to the company. All types of organisations must address their data security now to be sure they do not fall prey to a disastrous data breach.”