Australian Red Cross Leak Exposes Contractor RisksLarge Database of Blood Donors Published on Public-Facing Server
Australia's largest-ever known breach of personal data shows the risks incurred when depending on IT contractors, whose errors can be damaging and difficult to catch.
On Oct. 28, the Australian Red Cross apologized to 550,000 registered blood donors after personal details and answers to sensitive medical questions were inadvertently posted online by an IT services contractor for about seven weeks over the past two months.
An unnamed person discovered a 1.7 GB MySQL database backup belonging to the Australian Red Cross through a simple web scan looking for insecure web servers. The person notified Troy Hunt, an Australian data breach expert, who reported the leak to Australia's nonprofit cyber emergency response team, AusCERT. Hunt believes the contractor who posted the data does not have malicious intentions.
The most sensitive information in the leak included health questions, such as whether people believed they have engaged in risky sexual behavior, which may exclude them from donating blood. The questionnaire also asks about pregnancy, use of antibiotics, planned surgeries, travel plans, dental work, piercings and tattoos, according to the Australian Red Cross's blood-donation information page.
Of Australia's largest known data breaches, "none of them had data anywhere near as sensitive as what the Red Cross holds on blood donors," Hunt writes on his website, noting that both his own data and that of his wife were contained in the leak.
Also leaked was the usual identifying information, including names, addresses, birthdates, genders, email addresses and mobile phone numbers - all pieces of information that are relatively easy for an attacker to obtain, but could be used for identity theft.
So far, investigators say they do not believe the leaked data circulated widely. But as with any data breach, just one copy of a data set is all that might be required to spread the information far and wide. A team of experts is investigating the leak to conduct a digital forensic analysis, and the Red Cross is creating a task force to review its governance and security procedures around its blood donor program. Australia's Office of the Information Commissioner, which is the national data protection authority, is also investigating.
When businesses lose data and dent consumers' confidence, it's a potential revenue hit. But the impact on the Red Cross could be worse: If fewer people donate blood, it could mean life-threatening situations for patients.
"There's a real chance that people may actually feel less inclined to give blood," Hunt writes.
The Red Cross retained an IT contractor, Precedent, which specializes in content management systems. The donor information file was inadvertently published on a public-facing web server.
That server had directory browsing enabled, which would allow anyone from the public internet to view other files. Hunt says that the person who discovered the backup file had merely scanned internet IP addresses for servers that returned directory listings.
The person found the Red Cross data by looking for files in directories with a ".sql" extension, indicating what was - in this case - a database backup. The backup was not encrypted. It was online between Sept. 4 and Oct. 25, although the Red Cross is still verifying that window of exposure time.
In a short statement published Oct. 28, Precedent says that it is working with authorities, and that the leak has been isolated.
"We are taking the matter extremely seriously, and we have taken immediate steps to investigate the issue," writes Paul Hoskins, chairman of Precedent.
Catching such mistakes isn't easy, Hunt says. Audits and code reviews aren't necessarily going to catch problems. Before retaining contractors, companies will perform due diligence checks. After one is hired, companies pass along their data-handling guidelines.
But in the case of Precedent, "the mistake is blatantly, egregiously stupid," Hunt says in a phone interview. There was probably no reason for Precedent to even have such highly sensitive data in the first place, a cautionary tale for organizations, he adds.
Destroying the Data
Hunt has elected to not put the Red Cross data into Have I Been Pwned, his free and popular breach-notification service, for a few reasons.
One is that the Red Cross is already notifying those affected, which would make including the data his service redundant. Also, he says that given the nature of the Red Cross's work, he wanted to minimize the impact.
Hunt has destroyed his copy of the data, and he says the source who passed it to him has pledged not to distribute it and to destroy it as well.
A deep network of anonymous sources passes Hunt tips and leaked data for inclusion in his service. Ironically, Hunt says that just prior to the Red Cross leak, someone passed him data that had also been left in an open directory on a public web server, and he's received even more tips since.
"Multiple people have consequently sent me all sorts of links to other database backups on the public web just the same as this," says Hunt, who plans to detail his findings soon. "It is so rampant."
It also shows that sophisticated hacking isn't behind every breach.
"It's just interesting how much effort we put in to educating around very sort of sophisticated attacks ... and then you go, yeah, people are still putting databases on public websites," Hunt says.