In what is Australia’s biggest data breach of medical information, more than 550,000 customers of the Australian Red Cross Blood Service had personal and medical details exposed online and leaked to an anonymous hacker last week.
According to the Blood Service, the data leaked was contained in a backup of a database of its online web site. One part of the database contained the answers to an online questionnaire which donors complete in order to book an appointment with the service. The questionnaire covers information about the donor’s name, age and address but also medical questions related to the donor’s current health, state of pregnancy and finally about whether the donor has in the last 12 months, engaged in at-risk sexual behaviour.
The backup database had been left, not on the Blood Service website, but on a server managed by the Blood Services’s website developer, Precedent. The database was found there by an anonymous hacker who had been scanning sites for security vulnerabilities and stumbled across the completely unprotected database.
On realising what the data was, the hacker contacted a consultant, Troy Hunter, who runs a site called “have i been pwned”. Have i been pwned allows people to see if their email address and other details have been leaked and made publicly available in previous data breaches. Hunter’s and his wife’s details were included in the Blood Service database because they had both donated blood in Australia. Hunter contacted AusCert, a cyber emergency response team located at the University of Queensland and informed them of the breach and the data he had been sent.
AusCert in turn contacted the Blood Service who then notified its donors of the breach. Hunter and the anonymous hacker both deleted their copies of the backup database. Security specialists the Blood Service had employed to review the breach determined it was likely the database had not been discovered by anyone else in the time it was available on the internet.
For the time being, it looks like the Blood Service has managed to dodge what could have been an even more devastating blow to its credibility. While most donors (including Troy Hunter) may not let this incident stop them from donating in future, the incident does bring into question the overall capability of the Blood Service to protect and keep safe extremely sensitive information about its customers. A question it should be addressing is why it was collecting and saving this information through its website in this manner in the first place. An even bigger question is whether it will continue to collect and save this information in the same way.
What the Blood Service should be asking itself is:
[1] Do I really need to collect this information? In the case of the Blood Service the answer is probably no. While it seems like it is being efficient to ask screening questions on the appointment questionnaire, none of the information needs to be saved if the point is simply to give feedback to people that they are unlikely to be eligible to donate blood.
[2] Do you know where all of your data is? In the case of the Blood Service, and indeed its contractor Precedent, the answer was clearly no. A developer had taken a backup of the live system which he or she shouldn’t have needed access to, and put it on an unsecured server that was exposed to the internet. Considering the type of sensitive information the Blood Service dealt with, to entrust that information to a web developer without putting any checks or process in place to prevent access to this information highlights the inexperience of the Blood Service.