The massive data breach that hit the Australian Red Cross Blood Service last year was caused by a "one-off human error", the Office of the Australian Information Commissioner said on Monday (7 August). Regulators concluded their investigation into the data breach that affected over half a million blood donors in Australia saying it was caused by a "one-off human error" by a third-party provider.
In September 2016, a backup copy of a database from the Australian Red Cross that contained the personal details of about 550,000 prospective blood donors was accidentally saved to a public-facing web server by an employee of a third-party provider, rather than the intended secure location.
The third-party IT partner, Precedent Communications, was hired by the Australian Red Cross to handle website development and database management.
The 1.74GB MySQL database backup included a copy of the Blood Service's website as well as customer data entered by individuals via an online donor application form on the website. Customer data exposed in the breach included sensitive personal details such as names, gender, email and physical addresses, phone numbers, dates of birth, country of birth, blood type and other donation-related data including requested appointments.
In October, the exposed data file was discovered and accessed by an unknown individual who notified cybersecurity expert Troy Hunt. Hunt then informed the Australian Cyber Emergency Response Team (AusCERT). The Blood Service was notified of the massive and immediately took steps to contain it.
Hunt dubbed the data breach "Australia's largest ever leak of personal data" from a local service.
Australian Information and Privacy Commissioner Timothy Pilgrim said the Blood Service did not meet all the requirements of the Privacy Act.
The commissioner's report noted that two factors "within the Blood Service's control" that contributed to the data breach. The Blood Service did not have contractual measures or take reasonable steps to "ensure adequate security measures for personal information held for it by the relevant third party contractor". The agency also retained data on the Donate Blood website far longer than was required.
However, he commended the agency for its response and handling of the incident.
"Data breaches can still happen in the best organisations - and I think Australians can be assured by how the Red Cross Blood Service responded to this event," Pilgrim said in a statement. "They have been honest with the public, upfront with my office, and have taken full responsibility at every step of this process."
The non-profit has since bolstered its data handling practices at the organisation. Both the Blood Service and Precedent have also offered enforceable undertakings to the OAIC.
"This incident is an important reminder that you cannot outsource privacy obligations," Pilgrim said. "All organisations must put in place reasonable measures to ensure their third party providers' compliance with appropriate privacy and data security practices and procedures."
Janine Wilson, the executive director of donor services for the Red Cross Blood Services, said in May: "We were a business that thought it was managing data pretty well, but what's very clear to me now having gone through that is your actual IT security systems can be water tight, but there are people who operate them every day.
"It was our obligation to tell the 1.2 million donors that their data may have been breached and here's what happened."
She added: "Blood donors are collectively a fairly loyal and forgiving lot ... I think they were forgiving but I don't think they would be again."