Almost 1.3 million records of Australian donors to the Red Cross Blood Service have been exposed online in what is apparently the country's largest ever data breach. Personal details like names and addresses, blood type and sexual history, discovered by an anonymous individual and verified by security researcher Troy Hunt, were published to a public-facing website of one of the Blood Service's technology partners.
Although the file has since been taken down and both the original discoverer and Hunt — of Have I Been Pwned? fame — have deleted their copies of the 1.74GB file, 1,286,366 records of Australian blood donors including Hunt's wife were hosted publicly on the website, with the file itself originally discovered in a simple scan of IP addresses hosting publicly-available directories. iTNews is calling the breach the largest ever of Australian citizens' personal records.
Hunt detailed the discovery on his blog, saying that his own records, and his wife's, made the legitimacy of the breach easy to confirm, with name, email and physical address, phone number, gender, date of birth and a top-level sexual history available in just one table out of 647 available through public-facing site. This kind of data is rarely stored on a website at all, let alone a publicly accessible one, and the fact that the website had directory browsing — letting any interested party navigate around as if looking through folders on a desktop PC — is icing on the cake.
The online form, and an offline equivalent that also fed data into the database, has been used by the Red Cross since 2010. Red Cross chief executive officer Shelly Park has apologised for the breach, saying that it is being investigated. "As an organisation, we are still in the process of completing our investigation and we have engaged forensic experts to help us with this. We apologise, and we acknowledge that this is unacceptable."
The data included many duplicates of individuals' data who registered to donate or donated blood more than once, with approximately 550,000 unique names and 413,000 unique email addresses associated with the data. The data appears to have been gathered as pre-screening for donations, and as such many entries did not include donors' blood types who did not already know and supply them. Almost 7,500,000 responses included an answer to the question "in the last 12 months, have you engaged in at-risk sexual behaviour?"
The Red Cross is reaching out to the around 550,000 Australian donors whose details may have been compromised, ABC reports. Australia's national computer emergency response team, AusCERT, is working with the organisation to secure the data, which was taken offline on Wednesday after Hunt was made aware of it on Tuesday morning and coordinated with AusCERT that afternoon. [Troy Hunt / iTNews]