Red Cross Australia has experienced a massive security breach, in which the personal data of over 550,000 blood donors, including information about “at-risk sexual behavior,” has been leaked. The event is being called the largest security breach ever in Australia.
Red Cross said that it was told on Wednesday that files containing donor information from 2010 to 2016 was placed in an “insecure computer environment” and “accessed by an unauthorized person.”
The information came from an online application form and included personal details and identifying information like names, genders, addresses, and dates of birth, said a Red Cross statement.
Data breaches like this could lead to identity theft and further malware attacks. Data breaches also have far-reaching financial consequences — they cost American hospitals about $6 billion every year.
According to Red Cross Blood Service chief executive Shelly Park, the unsecured data was posted on a website by a contractor. “We apologize and we acknowledge that this is unacceptable,” she said, adding that to her knowledge, all copies of the data have now been deleted.
The breach was exposed when Troy Hunt, an independent security expert, was informed by an anonymous Twitter user claiming that he was in possession of Hunt’s personal information, as well as that of his wife; Hunt then notified AusCert, a cyber emergency team, which in turn contacted the Red Cross.
Hunt reported that the answers to some true-false questions, including one that asked donors whether they ever engaged in “at-risk sexual behavior” was included in the compromised data.
“Both the questions and answers mapped to the individuals were part of the dataset. That would be one of the most sensitive things in the breach, especially if you answered in the affirmative,” said Hunt.
The Red Cross has expressed its disappointment in the human error that led to the breach. It has set up a hotline to provide information or assistance to anyone who may have been impacted.