Hackers have breached and leaked personal data from Australia’s Red Cross Blood Service, leading to the details of 550,000 donors being exposed.
The breach, detailed by security expert Troy Hunt, is the biggest data leak Australia has suffered, and revealed the email addresses, gender, date of birth, phone number and blood donation date of the organisation’s donors between 2010 and 2016.
“This is literally as simple as going to an address such as http://127.0.0.1 and seeing a list of all the files on the system (sample address only). He’d then look to see if any of those files contained a .sql extension which would indicate a database backup… and that is all,” said Hunt.
The data leak stemmed from a database backup published to a publicly facing website, something Hunt said should not be done as there is no good reason to have such a database on a website, let alone a public one, other than for convenience. Furthermore, it was exposed by having directory browsing enabled on the site.
“The database backup should never have been there in the first place, but it’s highly unlikely it would have been found without directory browsing enabled (the file name would not have been easily guessed, it wasn’t as obvious as something like “database.sql”). Showing a public listing of the file contents of the server is a well-known risk and there’s rarely a valid justification for this, precisely for the sorts of reasons demonstrated with this incident,” Hunt explained.
All this points towards flaws in the Australian Red Cross Blood Service’s IT security, to the extent that The Guardian reported the organisation had explained the breach was down to human error.
“We learned that a file, containing donor information, which was located on a development website, was left unsecured by a contracted third party who develops and maintains our website,” said Australian Red Cross Blood Service chief executive Shelly Park. “The issue occurred due to human error. Consequently, this file was accessed by a person outside of our organisation.”
Park apologised for the data leak but stressed it did not include any medical information belonging to the donors. However, the leak of personal email addresses and information means hundreds of thousands of donors will need to be on alert to phishing scams targeted at them based on the leaked data.
“Protecting your data is an accumulation of many things, multi-layered defence is made up from security software, hardware, education and the expertise to meld them all into one. Ensuring corners are not cut or shortcuts are not in place is all part of securing your data,” he said.
“Ensuring your software is patched and up to date is one of the biggest failings. Many webservers are using outdated software that still has vulnerabilities or flaws waiting to be exploited.
“With software available to scan multiple IP addresses looking for certain types of files most of the hard work has already been done for the attacker. If the correct authentication methods were in place and periodic security reviews on all servers holding or handling our private data then a lot of these breaches would not have happened.”
Data breaches are becoming bigger, more damaging and increasingly high profile as the years march on; the latest major breach suffered by Yahoo has had the effect of putting its acquisition by Verizon at risk.
Alarmingly, even the police could be behind data breaches, showing organisations that it is not just hackers they should be concerned about.
Take our data breaches of 2015 quiz here!
Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…
Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC
Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…
Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…
Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…
Elon Musk continues to provoke the ire of various leaders around the world with his…