Australian Red Cross Blood Service’s ‘blood donors’ data leak is being considered as the ‘most severe’ by experts due to its nature of importance. The sensitive database leak discovered on October 24th by a security expert while searching the internet for exposed servers.
One of Australian Red Cross Blood Service’s third-party service providers inadvertently leaked a backup database of 550,000 people containing personal details. The database became publicly accessible from Sept. 5th to October 25th.
The person who discovered the leaked database reported it to the security expert and regional director for Microsoft, and runs his own data breach notification service haveibeenpwned.com
The 1.74Gb leaked database in a MySQLdump file contains 1.3 million records with the following information names, gender, physical address, phone numbers, blood types, donation dates, eligibility answers and type of donations and many other.
Troy Hunt in his blog post wrote, “In the Red Cross’ case, the data that was ultimately leaked was a database backup. That 1.74GB was simply a mysqldump file that had everything in it. Taking a database backup is not unusual (in fact it’s pretty essential for disaster recovery), it’s what happened next that was the problem.”
He wrote, “The database backup was published to a publicly facing website. This is really the heart of the problem because no way, no how should that ever happen. There is no good reason to place database backups on a website, let alone a publicly facing one. There are many bad reasons (usually related to convenience), but no good ones.”
Hunt reported the issue to the AusCERT and the Australian Red Cross Blood Service, which reported the issue further to Australian Cyber Security Center, Office of Information Commissioner , and the Federal Police.
According to Australian Red Cross Blood Service the registration data of 550,000 people is from the year between 2010 and 2016.
The formal announcement made by the organization states, “This file contained registration information of 550,000 donors made between 2010 and 2016. The file was part of an online application to give blood and information such as names, addresses, dates of birth and some personal details are included in the questionnaire.”
Currently, it is unclear whether the database is accessed by someone with harmful intentions, however, IDCARE, New Zealand, and Australia’s national identity support service say there is a low risk for blood donors.