The Australian Red Cross Blood Service has apologized after a database backup file containing over one million donor records including highly sensitive information on sexual activity was exposed to the public.
The ‘breach,’ which is said to the country’s biggest, came after a partner published the 1.74GB mysqldump file to a publicly facing website with directory browsing enabled.
This meant that an unnamed researcher was able to find it at random using a simple IP address scan for publicly exposed web servers returning directory listings.
He then told HaveIbeenpwned? founder Troy Hunt who contacted the AusCERT.
“There is no good reason to place database backups on a website, let alone a publicly facing one,” he wrote in a lengthy blog post explaining the situation.
The data included over 1.2 million records pertaining to 550,000 blood donor applicants. The information crucially included answers to a highly sensitive question on whether the applicant had engaged in "at-risk" sexual behavior over the past year.
Other info included names, blood types, dates of birth, email and snail mail addresses and phone numbers – all of which could be used in subsequent phishing attacks.
In a statement apologizing for the incident the Blood Service said it has taken immediate action to resolve the problem and informed the police and Australian Information Commissioner.
“To our knowledge all known copies of the data have been deleted. However, investigations are continuing,” said Blood Service CEO Shelly Park in a statement.
“The online forms do not connect to our secure databases which contain more sensitive medical information. The Blood Service continues to take a strong approach to cyber safety so donors and the Australian public can feel confident in using our systems.”
It remains to be seen if any other parties found the exposed information before the incident was flagged. It’s unclear how long the data was left publicly available, but it contains info on donors who’ve registered between 2010 and 2016.