Eleventh day of Hackmas: The great Blood Breach
In 2016 one of the most personal data breaches in Australian history occurred: the personal data of 550,000 blood donors was leaked. It included all kinds of information including identifying information such as names, genders, addresses and dates of birth.
This breach could have been severely damaging if not for a few people who acted ethically. Independent security expert, Troy Hunt, was contacted on Twitter by anonymous user claiming to have personal details of Troy and his wife.
Troy said that he, nor the Red Cross, was never threatened – which is a welcome relief in this day and age of digital crime. Troy contacted AusCert (a cyber emergency response team) who then notified the Red Cross of the breach.
Mr Hunt said the breached data contained answers to a number of true-false donor eligibility questions, including one that asked donors whether they had engaged in “at-risk sexual behaviour” in the previous 12 months.
“Both the questions and answers mapped to the individuals were part of the dataset. That would be one of the most sensitive things in the breach, especially if you answered in the affirmative,” Troy Hunt said.
To the Red Cross’ credit, they were very forthcoming with details on the data breach and continue to provide information about how they handle private information.
Could this have been prevented?
The breach occurred because a third party contractor took a copy of the database and left it on an unsecured public web server that anyone could find. Sound familiar? Yep, that’s exactly how Uber’s customer database was breached in 2016.
However in the case of Uber, they were widely criticised due to their response. The Red Cross on the other hand handled the breach as well as could have been anticipated.