The Australian Red Cross Blood Service has apologized after a database backup file containing over one million donor records including highly sensitive information on sexual activity was exposed to the public. What comes with the breach is a partner published 1.74 GB mysqldump file to a publicly facing website with directory browsing enabled. Which means an unnamed researcher was able to find it at random using a simple IP address scan for publicly exposed web servers returning directory listings. The data included over 1.2 million records pertaining to 550,000 blood donor applicants. The information crucially included answers to highly sensitive question on whether the applicant had engaged in “at-risk” sexual behavior over the past year. According to the statement apologizing for the incident, the Blood Service has taken immediate action to resolve the problem and informed the police and Australian Information Commissioner. They have deleted all known copies of the data. It is unclear how long the data was left publicly available, but it contains info on donors who’ve registered between 2010 and 2016.
I think this will definitely affect people who want to donate blood and people who had donated blood before. I would not donate my blood for a while since it may leak my personal information publicly. So the blood donors in Australia will decrease for a time I believe. They need to prepare for it.
Link: http://www.infosecurity-magazine.com/news/blood-service-data-leak-australias/
Yeah even I had a initial feeling that what can be the sensitive information w.r.t the blood donors as they can have just information of blood donation history and name of donor.
But I felt this is a serious breach when the secret private questions like ” engaged in “at-risk” sexual behavior” and blood type is revealed in public.
Blood donors in Australia will surely in future will think before going for a blood donation drive and filling the form whether the information they are providing is protected or not
This is an example of poor oversight and weak security controls. Along with the revelation of sensitive information, the blood service could also see themselves in future litigation for this exposure. The donors will probably be victims of spear phishing scams since their emails we’re part of the data leak. A hacker could use this situation to try to convince the donors to go to a website an apply for a identity monitoring that could also be malicious.