The Australian Red Cross Blood Service has admitted that the private details of half a million blood donors have been leaked to the public. It has been leaked online in a mass security breach in Australia. The link information includes the following:
- First name
- Last name
- Gender
- Physical address
- Email address
- Phone number
- Date of birth
- Blood type
- If they'd previously donated
- Country of birth
- When their record was created
- The type of donation (Plasma, Plasmapheresis, Platelet, Plateletpheresis, Whole Blood)
- When each donation occurred
- Donor eligibility answers
Data of 550,000 donors' information from between 2010 and 2016 was unintentionally placed on a backup copy of an online inquiry form on an unsecured website in early September. The chief executive of the organization Shelly Park apologized unreservedly for the breach.
We are deeply disappointed this could happen. We take full responsibility for this mistake and apologise unreservedly.
We would like to assure you we are doing everything in our power to not only right this but to prevent it from happening again.
The organization in a statement said it was informed Wednesday that a file containing donor information was placed in an "insecure environment" by a third party that develops and maintains the Blood Service's website. Ms Park said it was 'due to human error' that information was posted online by a contractor who maintains the Red Cross website.
According to The Guardian, cyber security expert, Troy Hunt, had told the organization that the risk of the data being misused was low. Australia's computer emergency response team, AusCERT, is also working with the organization to address the problem.
Hunt told the ABC that on Tuesday, he was contacted by an anonymous Twitter user who claimed to have details of his and his wife's names, address, dates of birth, phone numbers and email addresses. However, donors have been warned to be on alert for phone and email scams.
In the website of Troy Hunt, he said that the case of the Red Cross personal details leaked data was a database backup. "That 1.74GB was simply a MySQL dump file that had everything in it. Taking a database backup is not unusual (in fact it's pretty essential for disaster recovery), it's what happened next that was the problem."