Blood bank database cracked
The Australian Red Cross Blood Service has hit by been one of the largest data breaches in Australia's history.
Over a million personal and medical records of Australian citizens donating blood to the Red Cross Blood Service were exposed online for a period of several months.
A 1.74 GB file containing 1.28 million donor records was published to a publicly-facing website, discovered by an anonymous source and sent to haveibeenpwned.com.
The database came up in a scan of IP address ranges searching for publicly exposed web servers, which returned directory listings containing .sql files.
It uncovered a database called ‘mysqldump’, which is a backup containing everything from personal details (name, gender, physical and email address, phone number, date of birth and occasionally blood type and country of birth) to some sensitive medical information.
The database collected both paper and online information from people wishing to donate blood, but did not contain data on blood reports or analyses, or responses to the full donor questionnaire.
The database was on the server of a Red Cross Blood Service technology partner site, not the organisation’s main site.
The file has been removed, after being available online from 5 September 2016 to 25 October 2016.
“We are extremely sorry and deeply disappointed to have put our donors in this position. We apologise and take full responsibility for this,” Red Cross Blood Service chief executive Shelly Park.
“I want to assure our valued donors that we are doing absolutely everything to right this, and we will ensure that we are in the position that this will never happen again.”
Tech news outlet ITnews has gone over the finer points, here.