INSIGHT

OAIC concludes investigation of Australian Red Cross data breach

By Gavin Smith, Valeska Bloch
Cybersecurity & Privacy Data Financial Services Health Media, Advertising & Marketing Technology Telecommunications

In brief

A one-off human error by a third party provider's employee led to a massive data breach that hit the Australian Red Cross Blood Service late last year. Nearly a year after the breach, the Australian Information and Privacy Commissioner, Timothy Pilgrim, has concluded his investigation. 

What happened?

In October 2016, a database file containing information relating to approximately 550,000 prospective blood donors was inadvertently saved to a publicly accessible portion of a webserver managed by an employee of the third party provider, Precedent Communications. Some of the accessible information was particularly sensitive and related to sexual behaviours.

The Red Cross became aware of the breach after an unknown individual who discovered the vulnerability contacted a cyber security expert, Troy Hunt. Mr Hunt then contacted the Australian Cyber Emergency Response Team (AusCERT) who notified the Red Cross. AusCERT also contacted the internet service provider who hosted the website to have access to the website removed.

How did the Red Cross respond?

Upon being notified of the breach, the Red Cross took immediate steps to contain it. These included:

  • confirming (through AusCERT) that a copy of the data file held by the unknown individual and Mr Hunt had been deleted;
  • engaging an identity and cyber support service to undertake a risk assessment of the information compromised;
  • issuing press releases confirming that a data breach had occurred and publishing statements on its website and social media sites;
  • establishing a dedicated website, telephone hotline and an email inquiry facility to respond to public enquiries;
  • notifying affected individuals via text message and email; and
  • engaging specialist organisations to conduct a forensic analysis on the exposed server, to monitor their website for any vulnerabilities or unusual activity and to monitor the dark web for evidence that the data was being traded.1

Outcome of the OAIC's Investigation

The Commissioner found that the Red Cross had failed to implement contractual or other measures to ensure that Precedent Communications had adequate security arrangements. Nonetheless, the Commissioner commended the Red Cross for its quick response and handling of the breach, noting that its response provides a model of good practice for other organisations.

Steps taken by the Red Cross

Since the incident, the Red Cross has enhanced its information handling practices and provided an enforceable undertaking to engage an independent reviewer to review its third party management policy and standard operating procedure. Precedent Communications has also provided an enforceable undertaking with the Commissioner’s office to establish a data breach response plan and to update its privacy and data protection policy.

Our Cyber Security Tip Sheet is designed to help you prepare and quickly respond to cyber security incidents.

Footnotes

  1. Office of the Australian Information Commission, Investigation Report: DonateBlood.com.au data breach (Australian Red Cross Blood Service) (7 August 2017).