Australia's biggest data breach sees 1.3m records leaked

More than one million personal and medical records of Australian citizens donating blood to the Red Cross Blood Service have been exposed online in the country’s biggest and most damaging data breach to date.

A 1.74 GB file containing 1.28 million donor records going back to 2010, published to a publicly-facing website, was discovered by an anonymous source and sent to security expert and operator of haveibeenpwned.com Troy Hunt early on Tuesday morning.

The database was uncovered through a scan of IP address ranges configured to search for publicly exposed web servers that returned directory listings containing .sql files.

The contents of the 'mysqldump' database backup contains everything from personal details (name, gender, physical and email address, phone number, date of birth and occasionally blood type and country of birth) to sensitive medical information, like whether someone has engaged in at-risk sexual behaviour in the last year.

The database collected information submitted when an individual books an appointment - either on paper or online - to donate blood. The process requires donors to enter their personal details and fill out an eligibility questionnaire.

It does not contain data on blood reports or analyses, or responses to the full donor questionnaire all blood bank visitors are required to fill out at the time of their donation.

The database was published on the webserver of a Red Cross Blood Service technology partner that maintains the service's website, not the organisation’s www.donateblood.com.au site where online bookings are made.

Update: the service provider has been revealed as international digital agency Precedent.

"This is a seriously egregious cock-up - this should never happen," Hunt told iTnews.

"There are no good reasons to put database backups on a publicly-facing website." The issue was compounded by the fact that directory browsing was enabled on the server, he said.

The file was removed on Wednesday. The blood service said it was available online from 5 September 2016 to 25 October 2016.

Hunt said there was no evidence of the file having been accessed by anyone else, and both he and the anonymous source had deleted their copies.

Australia’s computer emergency response team, AusCERT, has been working with the Red Cross after being notified to the breach by Hunt on Tuesday.

The Red Cross indicated around 550,000 individual donors were impacted.

It attributed the issue to "human error" and said it was "deeply disappointed" to be in this position.

The service has started notifying affected donors today.

"We are extremely sorry and deeply disappointed to have put our donors in this position. We apologise and take full responsibility for this," Red Cross Blood Service chief executive Shelly Park.

"I want to assure our valued donors that we are doing absolutely everything to right this, and we will ensure that we are in the position that this will never happen again."

The total amount of records makes the breach the largest ever leak of personal data in Australia, vastly surpassing similar breaches at the likes of Kmart, David Jones, Aussie Farmers Direct and Catch of the Day.

It is also the first time sensitive medical details of Australian citizens have been leaked online at scale.

However, Hunt said he did not want the breach to discourage people from donating blood and potentially impacting Australia’s crucial blood supply.

“The bigger picture here is that this is lifesaving stuff,” he told iTnews.

“I’ve registered an appointment for Monday through the site and entered all my legitimate information to try and encourage people to donate.”

Privacy Commissioner Timothy Pilgrim has said he will investigate the breach and make his findings public.

"I welcome [the Red Cross'] prompt actions to prevent any further disclosure of this highly sensitive personal information," he said in a statement.

"My office encourages voluntary notification of data breaches, particularly where there is a risk to an individual as a result of a breach. This is good privacy practice as it gives individuals the opportunity to take proactive steps to protect their personal information and also helps to protect an organisation’s reputation by displaying transparency."