Red Cross Data Breach Exposes 550,000 Australian Donors
A massive security breach in Australia exposed the personal information of 550,000 Red Cross blood donors. The exposed information, which dates back to 2010, includes donor names, addresses, contact details, blood type and details of previous donations.
The data, which was available online from September 5 until October 26, also included information about whether the donor had taken drugs or engaged in “at-risk sexual behavior.”
The American Red Cross said the breach was caused by human error. The file was a back-up of the inquiry form that is available on the Australian Red Cross Blood Service website. Chief executive Shelly Park said, “we learned that a file, containing donor information, which was located on a development website, was left unsecured by a contracted third party who develops and maintains our website.”
She said the file has been removed, and the incident is now being investigated. The Red Cross has also promised to work with cyber security firm AusCERT to delete “all known copies” of the archive online.
Troy Hunt, who operates the website Have I Been Pwned, has called this Australia’s “largest ever leak of personal data.”
Hunt reported on his blog that an anonymous individual contacted him about “1.76GB worth of data from donateblood.com.au” and said the information would be easy to access. Hunt explained that the Red Cross’s database was backed up to a publicly facing website, which is convenient but insecure.
While just over half a million records were exposed, a total of 1.3 million records were available.