The Australian Red Cross Blood Service has admitted that the personal details of 550,000 donors were placed on a publicly accessible web server by mistake.
Security commentators say the error could have exposed the donors to identity theft or other crimes and underlines the fact that data security is still not a top priority for many organisations.
The Red Cross said on 26 October that its blood service had become aware that a file containing donor information had been placed in an insecure environment by a third-party website developer.
The file contained registration information collected between 2010 and 2016, including details such as names, addresses, dates of birth and other personal details.
The Red Cross said someone scanning for security vulnerabilities had alerted the Australian Cyber Emergency Response Team (AusCert), which helped the blood service to address the problem.
The blood service has also contacted the Australian Cyber Security Centre, the Australian Federal Police and the Office of the Australian Information Commissioner.
According to the blood service, IDCARE , a national identity and cyber support service, had assessed the information accessed as of low risk of future direct misuse.
“To our knowledge, all known copies of the data have been deleted,” said Shelly Park, chief executive of the blood service. “However, investigations are continuing.”
Park said the online forms do not connect to the service’s secure databases, which contain more sensitive medical information.
“The blood service continues to take a strong approach to cyber safety so that donors and the Australian public can feel confident in using our systems,” she said.
“We are incredibly sorry to our donors. We are deeply disappointed this could happen. We take full responsibility and I assure the public we are doing everything in our power to not only right this, but to prevent it from happening again.”
The blood service is trying to contact everyone who made an application to be a blood donor on the site and inform them of the potential data breach. The organisation has also set up a hotline, website and email address to provide information for donors.
While some commentators have praised the organisation for the way it responded to the breach described as the worst in Australia to date others have been critical of the lax attitude to security that led to the breach in the first place.
“In this age of data-sharing, many organisations look at logistics before security,” said Mark James, security specialist at ESET . “If the data needs to be accessible by many people, then that priority is top of the list.”
According to James, protecting data requires multi-layered defence comprising security software, hardware, education and expertise.
“Failure to ensure software is patched and up to date is one of the biggest problems,” he said. “As a result, many webservers are using outdated software that still has vulnerabilities or flaws waiting to be exploited.”
With software available to scan multiple IP addresses looking for certain types of file, most of the hard work has already been done for the attacker, said James.Correct authentication methods
However, he said the likelihood of breaches could be reduced significantly if the correct authentication methods are in place and there are periodic security reviews on all servers holding or handling private data.
“Having open facing servers available for plunder by all and sundry is just sloppy these days and is easily fixable,” said James.
Steve Murphy, senior vice-president for Europe at data giant Informatica , said that if organisations do not track where their data is moving and who holds it, it is only a matter of time before a damaging breach occurs.
“With sensitive data often passing between multiple companies during partnerships and sales, it is essential that organisations have a data-centric security strategy in place to ensure that data is secure wherever it goes,” he said.
The cost of poor data security is now far more than just financial, said Murphy. “Consumers are sharing more and more personal information with a wide range of organisations, from medical trusts to e-vendors, and, as a result, businesses that fail to secure that data risk inadvertently exposing their customers to blackmail, impersonation and scams not to mention the reputational damage to the company.”