igor - Fotolia

Red Cross data breach shows security is still not a priority

The Australian Red Cross Blood Service has responded quickly to a breach of 550,000 donor details, but security commentators say the incident shows security is still not a priority for many organisations

This article can also be found in the Premium Editorial Download: CW Asia-Pacific: CW ANZ: The role of cognitive computing in data analytics:

The Australian Red Cross Blood Service has admitted that the personal details of 550,000 donors were placed on a publicly accessible web server by mistake.

Security commentators say the error could have exposed the donors to identity theft or other crimes and underlines the fact that data security is still not a top priority for many organisations.

The Red Cross said on 26 October that its blood service had become aware that a file containing donor information had been placed in an insecure environment by a third-party website developer.

The file contained registration information collected between 2010 and 2016, including details such as names, addresses, dates of birth and other personal details.

The Red Cross said someone scanning for security vulnerabilities had alerted the Australian Cyber Emergency Response Team (AusCert), which helped the blood service to address the problem.

The blood service has also contacted the Australian Cyber Security Centre, the Australian Federal Police and the Office of the Australian Information Commissioner.

According to the blood service, IDCARE, a national identity and cyber support service, had assessed the information accessed as of low risk of future direct misuse.

“To our knowledge, all known copies of the data have been deleted,” said Shelly Park, chief executive of the blood service. “However, investigations are continuing.”

Park said the online forms do not connect to the service’s secure databases, which contain more sensitive medical information.

“The blood service continues to take a strong approach to cyber safety so that donors and the Australian public can feel confident in using our systems,” she said.

“We are incredibly sorry to our donors. We are deeply disappointed this could happen. We take full responsibility and I assure the public we are doing everything in our power to not only right this, but to prevent it from happening again.”

Read more about data breaches

The blood service is trying to contact everyone who made an application to be a blood donor on the site and inform them of the potential data breach. The organisation has also set up a hotline, website and email address to provide information for donors.

While some commentators have praised the organisation for the way it responded to the breach – described as the worst in Australia to date – others have been critical of the lax attitude to security that led to the breach in the first place.

“In this age of data-sharing, many organisations look at logistics before security,” said Mark James, security specialist at ESET. “If the data needs to be accessible by many people, then that priority is top of the list.”

According to James, protecting data requires multi-layered defence comprising security software, hardware, education and expertise.

“Failure to ensure software is patched and up to date is one of the biggest problems,” he said. “As a result, many webservers are using outdated software that still has vulnerabilities or flaws waiting to be exploited.”

With software available to scan multiple IP addresses looking for certain types of file, most of the hard work has already been done for the attacker, said James.

Correct authentication methods

However, he said the likelihood of breaches could be reduced significantly if the correct authentication methods are in place and there are periodic security reviews on all servers holding or handling private data.

“Having open facing servers available for plunder by all and sundry is just sloppy these days and is easily fixable,” said James.

Steve Murphy, senior vice-president for Europe at data giant Informatica, said that if organisations do not track where their data is moving and who holds it, it is only a matter of time before a damaging breach occurs.

“With sensitive data often passing between multiple companies during partnerships and sales, it is essential that organisations have a data-centric security strategy in place to ensure that data is secure wherever it goes,” he said.

The cost of poor data security is now far more than just financial, said Murphy. “Consumers are sharing more and more personal information with a wide range of organisations, from medical trusts to e-vendors, and, as a result, businesses that fail to secure that data risk inadvertently exposing their customers to blackmail, impersonation and scams – not to mention the reputational damage to the company.”

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Privacy and data protection

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Users should also consider online security as well while accessing Public WiFi. I would urge them to buy a vpn with 256 bit encryption, which will ensure complete internet freedom regardless of one's geographical location. My recommendation would be Purevpn, 500 servers and presence in 140+ countries. You are also encouraged to look for other options, stay safe.

Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close