Friday, November 04, 2016

If Ever There Was A Reminder That Private Information Security Is Vital – This Is it!

This broke late last week:

Australia's biggest data breach sees 1.3m records leaked

By Allie Coyne on Oct 28, 2016 12:00PM

Medical data exposed.

More than one million personal and medical records of Australian citizens donating blood to the Red Cross Blood Service have been exposed online in the country’s biggest and most damaging data breach to date.
A 1.74 GB file containing 1.28 million donor records going back to 2010, published to a publicly-facing website, was discovered by an anonymous source and sent to security expert and operator of haveibeenpwned.com Troy Hunt early on Tuesday morning.
The database was uncovered through a scan of IP address ranges configured to search for publicly exposed web servers that returned directory listings containing .sql files.
The contents of the 'mysqldump' database backup contains everything from personal details (name, gender, physical and email address, phone number, date of birth and occasionally blood type and country of birth) to sensitive medical information, like whether someone has engaged in at-risk sexual behaviour in the last year.
The database collected information submitted when an individual books an appointment - either on paper or online - to donate blood. The process requires donors to enter their personal details and fill out an eligibility questionnaire.
It does not contain data on blood reports or analyses, or responses to the full donor questionnaire all blood bank visitors are required to fill out at the time of their donation.
The database was published on the webserver of a Red Cross Blood Service technology partner that maintains the service's website, not the organisation’s www.donate.blood.com.au site where online bookings are made.
"This is a seriously egregious cock-up - this should never happen," Hunt told iTnews.
More here:
There were more details published here:

Contractor behind Australia's biggest-ever data breach revealed

By Allie Coyne on Oct 28, 2016 4:25PM

Exclusive: How human error exposed 550,000 donors.

Over four frantic days that must have felt like mere minutes, the Red Cross Blood Service has been battling to deal with a data breach that exposed the sensitive personal and medical records of 550,000 of its donors online.
An anonymous individual stumbled across the 1.74GB file containing 1.28 million records while scanning IP address ranges for publicly exposed web servers containing .sql files.
The Red Cross Blood Service became aware of the blunder on Tuesday morning through a chain of communications that included security researcher Troy Hunt and Australia’s computer emergency response team AusCERT.
That was also the day its website maintenance and development contractor, Precedent, found out about the giant breach it had inadvertently caused.
Precedent was engaged by the blood service to redesign and maintain its core website, www.donateblood.com.au, in 2015.
It created a Drupal 7-based responsive site to make it easier for people who have never donated blood to find out more about the process, and to make bookings for donors much simpler.
The new site was launched to the public in November last year.
However, a human error made by one of Precedent’s technical team meant a database backup containing all the information donors enter as part of their booking process was exposed online for almost two months from September 5 this year.
More here:
There is also coverage in all the mainstream press.
It is hard to know what to say – other than to agree with the commentator that said this sort of thing should simply not happen.
There is a warning here for all who hold patient private data!
David.

1 comment:

Anonymous said...

It's disturbing that the Red Cross press release fails to understand the significance of this. While no medical information was revealed (a not entirely true statement), this collection of information can be used with other breaches to build a profile that can be used for identity theft, etc.
The fact that this is not acknowledged or even hinted at shows an appalling understanding of the impact of these breaches.