Australian Information Commissioner commends Red Cross for data breach response
In October, a 1.74GB MySQL database backup containing 1.3 million rows and 647 different tables from the Australian Red Cross Blood Service's DonateBlood.com.au website was found to be publicly available.
The data originated from an online donor application form that contained details including name, gender, address, email, phone number, date of birth, country of birth, blood type, and other donation-related data, as well as appointments made.
Nearly a year after the breach occurred, the Australian Information and Privacy Commissioner Timothy Pilgrim concluded his investigation by saying he has confidence in the Australian Red Cross Blood Service's commitment to the security of the personal information it holds.
"Data breaches can still happen in the best organisations -- and I think Australians can be assured by how the Red Cross Blood Service responded to this event," Pilgrim said in a statement on Monday. "They have been honest with the public, upfront with my office, and have taken full responsibility at every step of this process."
Pilgrim's investigation found that a file containing information relating to approximately 550,000 prospective blood donors was saved to a publicly accessible portion of a webserver managed by a third party provider, Precedent Communications.
The data breach occurred without the authorisation or direct involvement of the Blood Service, and was outside the scope of Precedent's contractual obligations to the Blood Service, Pilgrim explained.
On September 5, 2016, a Precedent employee created a backup of the website's user acceptance testing (UAT) environment for the Donate Blood website and saved the data file to a publicly accessible portion of the UAT server, instead of the intended secure location.
The UAT environment included a copy of the live website, including a copy of customer data entered by individuals on the website, Pilgrim's report explains.
On October 25, 2016, an individual scanning the internet for security vulnerabilities located, accessed, and made a backup of the data file. The same individual then contacted cybersecurity expert Troy Hunt who subsequently informed the Australian Cyber Emergency Response Team (AusCERT).
AusCERT then coordinated a response to the incident and notified the Blood Service, Pilgrim explained.
In response to a request from AusCERT, the internet service provider responsible for hosting the UAT environment removed access to the UAT environment and as a result, the file was no longer accessible. The ISP notified Precedent of the data breach on October 26, 2016.
After becoming aware of the compromise of the data, Precedent responded in a support capacity by cooperating with the Australian Red Cross Blood Service in their investigation, the report said, with the contractor providing the compromised server to the Blood Service for an external forensic investigation where all of the data stored on the Donate Blood website was subsequently deleted.
The public and affected individuals were then notified of the incident on October 28, 2016.
The commissioner ruled the breach was a result of an inadvertent error made by an employee of Precedent, and as a result, has also provided them with an enforceable undertaking.
Precedent breached the Privacy Act in respect of APP 6 and APP 11 by disclosing the personal information of individuals who had made an appointment on the Donate Blood website and by failing to take reasonable steps to adequately mitigate against the risk of a data breach, and to protect the personal information it held from unauthorised disclosure, Pilgrim said in his report.
While the Blood Service had in place policies and practices to protect personal information as required by the Privacy Act, Pilgrim said there were two matters within the Blood Service's control that were a contributing factor to the data breach, which included the absence of contractual measures or other reasonable steps on the part of the Blood Service to ensure "adequate security measures for personal information held for it by Precedent in breach of APP 11.1".
Red Cross also retained data on its Donate Blood website for a longer period than was required, in breach of APP 11.2, the report adds.
"This incident is an important reminder that you cannot outsource privacy obligations. All organisations must put in place reasonable measures to ensure their third party providers' compliance with appropriate privacy and data security practices and procedures," he explained.
Although Pilgrim said the Red Cross Blood Service had not met all the requirements of the Privacy Act in relation to the data breach, the commissioner commended the organisation for its quick response and handling of the breach.
"Overall, the Blood Service acted appropriately and in a timely manner to rectify the data breach, and its response to the data breach provides a model of good practice for other organisations," Pilgrim said.
"The circumstances of this incident and the Blood Service's response mean that it is unlikely that there will be adverse consequences for affected individuals.
"The Blood Service has enhanced its information handling practices since the incident. The commissioner believes the community can have confidence in the Blood Service's commitment to the security of their personal information."
Speaking at the Oracle Modern Business Experience 2017 in Sydney earlier this year, Red Cross Blood Services Australia executive director of donor services Janine Wilson said her organisation had learned a lot from the incident.
"We were a business that thought it was managing data pretty well, but what's very clear to me now having gone through that is your actual IT security systems can be water tight, but there are people who operate them every day," Wilson explained. She added that sometimes there are processes and personnel that aren't always in concert that results in holes to security procedures that sometimes can't be seen.
"People responded to that honesty with a generous response, to be honest, there was a tiny minority of people who got pretty cranky -- and fair enough -- and we spoke with them on very personalised channels," Wilson said previously.
"Blood donors are collectively a fairly loyal and forgiving lot ... I think they were forgiving but I don't think they would be again."
In an effort to legislate around informing Australians of when their privacy has been breached, the federal government finally passed data breach notification laws at its third attempt in February, which will see people be alerted of their data being inappropriately accessed come February 2018.
The legislation is restricted to incidents involving personal information, credit card information, credit eligibility, and tax file number information that would put individuals at "real risk of serious harm".
Notification laws apply only to companies covered by the Privacy Act, and sees intelligence agencies, small businesses with turnover of less than AU$3 million annually, and political parties exempt from disclosing breaches.