The leak in Australia happened because a file was left unsecured by a third party provider.
The Australian Red Cross said its blood donor service has found that registration information of 550,000 donors had been compromised, which the agency blamed on human error by a third-party contractor.
The moot issue at this point, which may decide how the breach unfolds, is that nobody knows how many people have the data. The information from 2010 to 2016 was available on the website from Sept. 5 to Oct. 25. this year.
The database backup, consisting of 1.74GB with about 1.3 million records, contains information about blood donors, such as name, gender, physical address, email address, phone number, date of birth, blood type, country of birth, and previous donations, according to security researcher Troy Hunt.
In a statement apologizing for the incident, the Australian Red Cross said Friday that its Blood Service became aware on Oct. 26 that the file containing donor information had been placed in “an insecure environment” by the third party charged with developing and maintaining the Blood Service’s website.
The information was copied by a person who was scanning for security vulnerabilities who later, through an intermediary, informed the Australian Cyber Emergency Response Team (AusCERT) with whom the Blood Service has membership, the Australian Red Cross said.
“We have managed to have all known copies of the archive deleted, and have removed the vulnerability from the web developer’s server,” it added. The agency has also hired a team of experts to do the forensic analysis of the incident and is also setting up a task force to evaluate governance and the security structures of the blood service.
Hunt wrote that he was contacted on Tuesday morning by someone who found the data on donateblood.com.au, the website of the Blood Service, while scanning internet IP addresses on the lookout for publicly exposed web servers returning directory listings. The backup database was published to a publicly facing website, which had directory browsing enabled on the server, according to Hunt.
“Showing a public listing of the file contents of the server is a well-known risk and there’s rarely a valid justification for this, precisely for the sorts of reasons demonstrated with this incident,” he wrote.
Troy said he contacted AusCERT, the Australian version of the computer emergency response teams that many countries including the U.S. have, and they got in touch with the Red Cross.