If you’ve donated blood to the Australian Red Cross, you can feel rightly proud of being part an important medical process. But it also means that you might feel a little nervous at today’s news – an anonymous source has been able to access 1.28 million private records that go back to 2010.
The breach was revealed today via our sister-site ITNews.
It appears that a 1.78GB file was published to a public-facing website, which was subsequently discovered and then shared with Troy Hunt of haveibeenpwned.com.
“This is a seriously egregious cock-up – this should never happen,” Hunt told iTnews.
“There are no good reasons to put database backups on a publicly-facing website.” The issue was compounded by the fact that directory browsing was enabled on the server, he said.
The file was removed on Wednesday. Hunt said there was no evidence of it having been accessed by anyone else, and both he and the anonymous source had deleted their copies.
The files include details such as name and address, and sensitive information such as whether or not an individual has engaged in high-risk sexual behaviour.
The Red Cross has said it is “deeply disappointed” in the breach, though it appears that no one other than the anonymous source has accessed the data, and both the source and Hunt have since delated their copies of the data.
Troy Hunt goes into much more detail about the incident here, and it’s well worth reading.