Australia’s Red Cross Suffers Country’s Largest Data Breach

Data breaches continue around the globe – news that a data breach has exposed over a million personal and medical records of Australian citizens donating blood to the Red Cross Blood Service. It is thought to be the biggest data breach to affect the country – it was discovered by an anonymous source that a 1.74 GB file containing 1.28 million donor records going back to 2010, was accessible via a publicly accessible website. The database contains personal information such name, gender, physical and email address, phone number, date of birth as well as blood type and country of birth. It also has very sensitive data such as whether someone has engaged in high-risk sexual behaviour. IT security experts from HPE Security, Prevalent and  ESET commented below.

Mark Bower, Global Director – Product Management at HPE Security-Data Security:

“Healthcare entities are the new data gold mines for attackers, and that includes blood donor databases with highly personal health and activity history.

The data is lucrative and if left unprotected, can be used for social engineering attacks and scams, and if health insurance data are present, potentially medical and identity fraud or to obtain high-demand prescription drugs. While it looks like the sensitive personally identifiable information was inadvertently placed on a public website, healthcare entities still face the same challenge of keeping data safe from prying eyes – especially from third party service providers.

Unfortunately, many healthcare firms do not have modern data-centric protection in place to neutralize breach risks from cyberattacks and are thus vulnerable to being plundered from advanced malware, as well as insiders.

This particular mistake could have been avoided if the healthcare company used new best practices to devalue the data with encryption or tokenization. These technologies can remove *all* of the value from sensitive data or only remove *part* of the value from sensitive data.

This second practice is typically seen in the healthcare industry, where data needs to be anonymized, but enough information has to still be present to allow its use in things like epidemiology (as well as other important secondary uses), or patient databases.

There are lots of different ways to “de-identify” data in case of a cyberattack or inadvertent exposure to unauthorized parties, yet still enable data-rich analytic insight without risk.”

Jeff Hill,  Director, Product Management at Prevalent:

“The Australian Red Cross breach lies at the intersection of sensitive data and the integral role 3rd parties/vendors play in organizational operations today.  Like the Red Cross, how many enterprises outsource a basic function such as website development and maintenance to a vendor?  Probably most.  How many websites collect data from customers, some of which is sensitive? Probably most. How many organizations pay little attention to the risk posed by an ever-expanding portfolio of vendors, including their website developers?  Probably most. It’s no wonder that in a recent survey of IT and Security professionals, nearly 70% admitted they possibly (or definitely) experienced a security breach originating from a vendor’s access in the last year.”

Mark James, Security Specialist at ESET:

“In this age of data sharing many organisations look at logistics before security. If the data needs to be accessible by many people then that priority is top of the list. Protecting your data is an accumulation of many things, multi-layered defence is made up from security software, hardware, education and the expertise to meld them all into one. Ensuring corners are not cut or shortcuts are not in place is all part of securing your data.

Ensuring your software is patched and up to date is one of the biggest failings. Many webservers are using outdated software that still has vulnerabilities or flaws waiting to be exploited. With software available to scan multiple IP addresses looking for certain types of files most of the hard work has already been done for the attacker. If the correct authentication methods were in place and periodic security reviews on all servers holding or handling our private data then a lot of these breaches would not have happened.