SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
31 Oct 2016

550,000 Australian blood donors’ personal data made public after human error

A Microsoft regional director and security developer, Troy Hunt, was contacted early on Tuesday morning by an anonymous person on Twitter who told him he had obtained personal information about him and his wife.

“This guy reached out to me and said, ‘Here’s your personal data,’” Hunt said. “There was my name, my email, my phone number, my data of birth, and information about when I had last donated blood.”

It didn’t take Hunt long to figure out that the data had come from a form he had filled out online through the Red Cross blood donation form. On Friday the Red Cross Blood Service chief executive, Shelly Park, admitted at a media conference in Melbourne that the data of more than half a million blood donors across Australia had been compromised in a massive security breach, and accessed by an “unauthorised person”. “We learned that a file, containing donor information, which was located on a development website, was left unsecured by a contracted third party who develops and maintains our website,” Park said.

Hunt, who founded the website haveibeenpwned.com, said the information about his wife provided to him by the man was even more concerning. She had donated blood many more times than he had and there was more information available about her.

“Her blood type was in there,” Hunt said. “The details provided by people through the questionnaire were mostly benign, I suppose, things like, ‘Are you are you under 50kg?’ and, ‘Have you had dental procedures?’ The one which stands out though is, ‘Have you had any risky sexual activity in the last 12 months?’”

The man ended up sending Hunt the entire 1.74 GB file he had obtained. Realising how serious the situation was, Hunt immediately contacted AusCERT, a leading computer emergency response team that provides security advice to the Australian public service and not-for-profit sector.

AusCert has now helped the Red Cross Blood Service to contain the data. “I also asked the person who sent the file to me to delete it immediately,” Hunt said. “He immediately complied. He even screen-capped his delete process showing him deleting. “Of course, he could have made other copies. I also asked him point blank if he had passed it on and he said no, he had not.

“All we can do is take him at his word. There is also no evidence he had any malicious intent. There are a lot of people who just scan the internet for information like this. He would have had some software to do this and he would have just been trawling around to see what he could find.” Cyber security experts have told the blood service that the risk of the data being misused was low, and those affected have been told.

But Dr Vanessa Teague, a senior lecturer at the department of computing and information systems at the University of Melbourne’s school of engineering, said that reassurance was “cold comfort”. “If one person noticed this data could be accessed, you have no idea how many other people also noticed it but chose not to notify anyone,’ she said.

“The other thing is that the scientific literature always talks about deidentification of data. But what people try to do is link multiple different data sets together to break people’s privacy. “So one of the worst things about this is the possibility that other data sets that might have been privacy-preserving on their own might be more at risk because of the extra clues given in this blood data set, such as names and addresses, that wouldn’t normally be part of a deidentified data set.”

Those affected by the data breach have been sent a text message that reads: “The Blood Service has identified a potential data issue that may affect you,” with a link to the service’s website for more information. Chris Culnane, a University of Melbourne programming languages and human-computer interaction expert, said it was worth pointing out that those who completed the Red Cross online questionnaire had done so so before filling out their personal details.

“If you answer any of the questions [such as, ‘Have you had a tattoo in last four months?’ and, ‘Are you pregnant or have you just given birth?’] in the affirmative, you are declined with no further questions being asked and no personal details being taken. “So I assume that the data collected is only from people who have answered no to all of the questions. Due to the structure of the quiz, the linking would have to be on the negation of the answers.”

Tags:
information leaks
Source:
The Guardian
1912
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015