'Bloody hell, mate': Massive data leak exposes half a million Australian Red Cross blood donors

The Australian Red Cross has apologised after a 1.74GB-sized backup database containing over half-a-million personal details leaked of blood donors. According to security researcher Troy Hunt, who first reported the incident, the database included 647 different tables in total.

The compromised records, made up of registration data for 550,000 people from 2010 to 2016, included names, addresses, dates of birth, blood types, phone numbers and last donation dates. The database leaked after being "placed in an insecure environment" by an unnamed third party.

"To our knowledge, all known copies of the data have been deleted. However investigations are continuing," said Shelly Park, chief executive of the Blood Service. "The online forms do not connect to our secure databases which contain more sensitive medical information."

Park, while acknowledging the data leak in an online statement, "apologised unreservedly" to the donors impacted and maintained the Blood Service "continues to take a strong approach to cyber-safety so donors and the Australian public can feel confident in using our systems."

She added: "We take full responsibility and I assure the public we are doing everything in our power to not only right this but to prevent it from happening again. We need your continued support to donate blood and feel confident that this will not reoccur in the future."

Hunt, who was forwarded the leaky database by a man who was scanning internet IP addresses for publicly exposed servers, believes his contact has deleted his copy of the database. Instead of uploading the data to his own breach notification service, the researcher also deleted his version.

"In the Red Cross' case, the data that was ultimately leaked was a database backup," he explained in a blog post. [It] was simply a mysqldump file that had everything in it. Taking a database backup is not unusual, it's what happened next that was the problem.

"The database backup was published to a publicly facing website. This is really the heart of the problem because no way, no how should that ever happen. There is no good reason to place database backups on a website, let alone a publicly facing one.

"One really important point to make here is that whilst the data originally came from the Red Cross, it ultimately wasn't them that published it to a publicly facing server, rather it was a partner. That doesn't change the end result [...] but it's an important detail in the overall chronology of events."

The incident was reported to AusCERT (Computer Emergency Response Team) and resolved quickly. The Blood Service said it has already contacted the Australian cybersecurity centre, the federal police and the Information Commissioner's Office (ICO).

A cybersecurity support service called IdCare assessed the exposed data as having a "low risk of future direct misuse," the Blood Service said, adding it is now attempting to contact everyone who gave blood between the impacted dates to inform them about the data breach.

"We have set up a hotline, website and email address to provide information for donors," Park said. "It is vitally important that people who generously want to give blood are not deterred by this – every Australian may need a blood transfusion at some time and we hope people will continue to make their contribution and to feel confident that their personal details will be protected."