Half a million blood donors' data put on insecure website

8:10 pm on 28 October 2016

The Red Cross Blood Service in Australia has apologised to more than half a million blood donors after their personal information was put on an insecure website.

no caption

Photo: 123rf.com

The personal data of 550,000 blood donors - including information about "at-risk sexual behaviour" - has been leaked, in what has been described as the country's largest security breach.

The organisation said it was told on Wednesday that a file containing donor information was placed on an "insecure computer environment" and "accessed by an unauthorised person".

The file contained the information of blood donors from between 2010 and 2016.

The data came from an online application form and included "personal details" and identifying information including names, gender, addresses and dates of birth, a Red Cross statement said.

Red Cross Blood Service chief executive Shelly Park said "due to human error" the unsecured data had been posted on a website by a contractor who maintained and developed the Red Cross website.

"As an organisation, we are still in the process of completing our investigation and we have engaged forensic experts to help us with this," she said.

"We apologise and we acknowledge that this is unacceptable."

Ms Park said, to her knowledge, all copies of the data had now been deleted and the risk of misuse of the data was low.

Independent security expert Troy Hunt said he was contacted on Tuesday morning by an anonymous Twitter user who claimed to have his and his wife's personal details.

Mr Hunt said the anonymous user then sent him the data in a 1.74GB file.

He said he was never threatened or extorted by the Twitter user and contacted AusCert, a cyber emergency response team, who then notified the Red Cross of the breach.

Mr Hunt said he later deleted the file and understood the person who provided it had deleted their copy.

Data included answer to question about "at-risk" sexual activity.

Mr Hunt said the data included answers to a number of true-false eligibility questions, including one that asked donors whether they had engaged in "at-risk sexual behaviour" in the previous 12 months.

"Both the questions and answers mapped to the individuals were part of the dataset. That would be one of the most sensitive things in the breach, especially if you answered in the affirmative," he said.

Mr Hunt, who works with companies to prevent similar incidents from occurring, said as far as he was aware it was the largest data leak in Australia.

"We haven't seen one [a breach] of an Australian entity that's anywhere near this size," he said.

"We've certainly seen some very large global ones … things like the MySpace data breach, for example. We haven't seen one locally this big."

The Red Cross Blood Service said it had been in contact with the Australian Cyber Security Centre and the Australian Federal Police about the breach.


Get the RNZ app

for ad-free news and current affairs