Australian Red Cross apologises for massive data leak

Half a million Australians look to be impacted by a data leak that the Red Cross has put down to human error.
Written by Chris Duckett, Contributor

A 1.74GB MySQL database backup containing 1.3 million rows and 647 different tables from the Australian Red Cross has been found to be publicly available, security researcher Troy Hunt has revealed.

As detailed by Hunt in a blog post, the data comes from an online donor application form that contains details including name, gender, address, email, phone number, date of birth, country of birth, blood type, and other donation-related data, as well as appointments they made.

Hunt said he believes this is the largest unintended release of personal data seen so far in Australia, and that a partner of the blood service was responsible, not the Red Cross itself.

"It's highly unlikely there was a valid reason for them to provide the partner with such an extensive amount of data and I'm sure there will be many questions asked as to how so much information should have been shared in the first place and indeed how much is shared in the future," Hunt wrote.

In a press conference on Friday, the Australian Red Cross apologised for the incident.

"The issue occurred due to human error," Australian Red Cross Blood Service CEO Shelly Park told journalists. "The back-up file contained 550,000 people who completed a web form to access a donation between 2010 and 2016."

"I wish to stress that this file does not contain the deep personal records of people's medical history or of their test results."

After being alerted by AusCERT, the Australian Red Cross said it was taking advice from the Australian Cyber Security Centre, and was in the process of notifying donors.

"We have been told that there is a very low risk of future misuse," Park said. "However, donors affected do need to be aware there is an increased risk of cybersecurity and they, therefore, need to look at phone and email scams.

"We are extremely sorry. We are deeply disappointed to have put our donors in this position."

In a statement released later on Friday, the Australian Red Cross said the form they used to collect the leaked data did not connect to its other databases which contain "more sensitive medical information".

Hunt said both he, and the person who provided him with the Red Cross data, have deleted their copies, highlighting the personal nature of the data, as people had provided answers to the donor eligibility answers.

"Each donor is asked questions such as whether or not they're on antibiotics, if they're under or over weight, and if they've had any recent surgical procedures. They're personal questions, no doubt, but one of them particularly stands out in terms of sensitivity: 'In the last 12 months, have you engaged in at-risk sexual behaviour?'" he said.

"Clearly that is a deeply personal, private attribute that could be enormously sensitive if the answer is in the affirmative. Because there are many eligibility questions for each donor, there are a total of 7,343,537 answers in the system and naturally, many of these relate to the question of at-risk sexual behaviour."

The Australian Privacy Commissioner said it is conducting an investigation into the leak.

Updated at 1.50pm AEDT, October 28, 2016: Added statements from Australian Red Cross Blood Service and Australian Privacy Commissioner.

Editorial standards