Data breaches continue around the globe – news that a data breach has exposed over a million personal and medical records of Australian citizens donating blood to the Red Cross Blood Service. It is thought to be the biggest data breach to affect the country – it was discovered by an anonymous source that a 1.74 GB file containing 1.28 million donor records going back to 2010, was accessible via a publicly accessible website. The database contains personal information such name, gender, physical and email address, phone number, date of birth as well as blood type and country of birth. It also has very sensitive data such as whether someone has engaged in high-risk sexual behaviour. IT security experts from HPE Security, Prevalent and ESET commented below.
Mark Bower, Global Director – Product Management at HPE Security-Data Security:
The data is lucrative and if left unprotected, can be used for social engineering attacks and scams, and if health insurance data are present, potentially medical and identity fraud or to obtain high-demand prescription drugs. While it looks like the sensitive personally identifiable information was inadvertently placed on a public website, healthcare entities still face the same challenge of keeping data safe from prying eyes – especially from third party service providers.
Unfortunately, many healthcare firms do not have modern data-centric protection in place to neutralize breach risks from cyberattacks and are thus vulnerable to being plundered from advanced malware, as well as insiders.
This particular mistake could have been avoided if the healthcare company used new best practices to devalue the data with encryption or tokenization. These technologies can remove *all* of the value from sensitive data or only remove *part* of the value from sensitive data.
This second practice is typically seen in the healthcare industry, where data needs to be anonymized, but enough information has to still be present to allow its use in things like epidemiology (as well as other important secondary uses), or patient databases.
There are lots of different ways to “de-identify” data in case of a cyberattack or inadvertent exposure to unauthorized parties, yet still enable data-rich analytic insight without risk.”
Jeff Hill, Director, Product Management at Prevalent:
Mark James, Security Specialist at ESET:
Ensuring your software is patched and up to date is one of the biggest failings. Many webservers are using outdated software that still has vulnerabilities or flaws waiting to be exploited. With software available to scan multiple IP addresses looking for certain types of files most of the hard work has already been done for the attacker. If the correct authentication methods were in place and periodic security reviews on all servers holding or handling our private data then a lot of these breaches would not have happened.