A 2016 privacy snafu which exposed the personal details of over half a million Australians was caused by “one-off human error” from a third-party contractor, the local Information Commissioner has confirmed.
Described at the time as the biggest data breach ever seen in the country stemming from a local service, the incident occurred when an employee of Precedent Communications accidentally saved a back-up file containing info on 550,000 prospective blood donors, to a public-facing server.
Details included applicants’ name, blood type, email, address and pone number, all of which could be highly valuable to phishers. It also revealed a highly sensitive question on whether the applicant had engaged in "at-risk" sexual behavior over the past year, which could have been of use to online blackmailers.
The incident went unnoticed until October 25 after which time the Australian Information Commissioner opened an investigation into the Australian Red Cross Blood Service.
Its judgement is that Precedent Communications failed in three key areas: it failed to apply its own Risk Management Policy or ensure cybersecurity arrangements were in line with the sensitivity of the data; it used live data for testing purposes, when dummy data would have done and it failed to put in place monitoring and QA processes.
It concluded:
“On this basis, the Commissioner’s view is that Precedent failed to adequately mitigate against the foreseeable risk of human error resulting in a data breach. Precedent did not take reasonable steps to protect the personal information held on the Donate Blood system from misuse and loss and from unauthorized access, modification or disclosure…”
Egress CEO, Tony Pepper, argued that human error accounts for almost half of the breaches reported to the UK’s ICO.
“What this case in particular shows is that businesses’ data handling practices need to extend beyond their own staff, to their suppliers and partners,” he added. “If they cannot ensure information security best practices are strictly followed by whoever handles the data, then any internal efforts could be in vain.”
Fred Kneip, CEO at CyberGRX, said that third party risk can be a “ticking time bomb” if not managed correctly.
“The ability to understand which third parties have weak controls that could put your data at risk is a critical step toward understanding your true third-party risk exposure,” he added.
Thanks to its quick and efficient response and co-operation following the incident, and agreement to follow an undertaking from the information commissioner, the Blood Service escaped a fine.