Contractor behind Australia's biggest-ever data breach revealed

Over four frantic days that must have felt like mere minutes, the Red Cross Blood Service has been battling to deal with a data breach that exposed the sensitive personal and medical records of 550,000 of its donors online.

An anonymous individual stumbled across the 1.74GB file containing 1.28 million records while scanning IP address ranges for publicly exposed web servers containing .sql files.

The Red Cross Blood Service became aware of the blunder on Tuesday morning through a chain of communications that included security researcher Troy Hunt and Australia’s computer emergency response team AusCERT.

That was also the day its website maintenance and development contractor, Precedent, found out about the giant breach it had inadvertently caused.

Precedent was engaged by the blood service to redesign and maintain its core website, www.donateblood.com.au, in 2015.

It created a Drupal 7-based responsive site to make it easier for people who have never donated blood to find out more about the process, and to make bookings for donors much simpler.

The new site was launched to the public in November last year.

However, a human error made by one of Precedent’s technical team meant a database backup containing all the information donors enter as part of their booking process was exposed online from a separate server for almost two months from September 5 this year.

Precedent's APAC delivery director Rob Van Selm confirmed his company’s involvement in the breach to iTnews.

He said the firm was continuing to help the Red Cross Blood Service and AusCERT with their investigations.

Van Selm declined to comment on the events leading up to the breach other than to admit “human error” was the cause. He said further information would come to light in due course.

“We’re trying to determine where the issue lies and who is responsible,” he told iTnews.

The contents of the mysqldump database backup contained significant personal details like name, gender, physical and email address, phone number, date of birth, and country of birth.

However, what separates it from other headline breaches of recent years is the inclusion of sensitive medical information, like data on blood type and instances of high-risk sexual behaviour.

The scale and severity of the breach has prompted an investigation by the Privacy Commissioner, who will soon begin dissecting what has now earned the crown of Australia’s biggest - and most sensitive - data breach to date.