Sexual history, personal info of 550,000 Australians leaked online in Red Cross data breach

Hundreds of thousands of Australian blood donors had their personal information and sexual history leaked online Wednesday after an “unauthorized person” accessed the Australian Red Cross blood service website.

The data included registration information for 550,000 blood donors, made between 2010 and 2016, including donor names, address and dates of birth.

The breach, which is believed to be the Australia’s largest ever leak of personal data, also included donors answers regarding drug use and whether they had engaged in “at-risk sexual behaviour,” including gay male sex, sex work and exposure to sexually transmitted diseases including HIV.

READ MORE: Here’s what you need to know about the Yahoo hack

The Red Cross attributed the breach to “human error,” explaining that the file was placed on an unsecure server by a third party company that maintains its website.

After receiving a tip, security researcher Troy Hunt – who runs the data breach monitoring website “Have I Been Pwned” – discovered the 1.76GB worth of data from the donateblood.com.au website.

“The database backup was published to a publicly facing website. This is really the heart of the problem because no way, no how should that ever happen,” Hunt said in a blog post.

Tweet This Click to share quote on Twitter: "The database backup was published to a publicly facing website. This is really the heart of the problem because no way, no how should that ever happen," <a href="https://www.troyhunt.com/the-red-cross-blood-service-australias-largest-ever-leak-of-personal-data/">Hunt said in a blog post.</a>

“There is no good reason to place database backups on a website, let alone a publicly facing one. There are many bad reasons (usually related to convenience), but no good ones.”

The Red Cross maintains that no sensitive personal health information was leaked as a result of the breach. In a statement, the organization said it was working with the Australian Computer Emergency Response Team (AusCERT) to delete “all known copies” of the files online and has partnered with a team of security experts to conduct a forensic analysis of the incident.

While the Red Cross said initial investigations show that the database was accessed on Oct. 26, it remains unclear whether any of the information was copied or stolen.

READ MORE: Average cost of data breach in Canada is $6.03M, study finds

The organization said it is working to notify all affected donors about the data breach and has set up a dedicated hotline and email address for those with questions about the leak.

Hunt – whose donor information was actually leaked as a result of this breach – noted that while it was his responsibility to publicly disclose the breach, he expressed concerns that the incident would make people around the world wary of donating blood.

“I was really conscious when I first started looking into this that the incident would make life hard on the Red Cross. It’s going to cost them money, it’s bad publicity and there’s a real chance that people may actually feel less inclined to give blood,” he wrote.

Tweet This Click to share quote on Twitter: "I was really conscious when I first started looking into this that the incident would make life hard on the Red Cross. It's going to cost them money, it's bad publicity and there's a real chance that people may actually feel less inclined to give blood," he wrote.

“I’ve booked an appointment for the first available spot at my local donation centre so come Monday, the Red Cross will have my blood. They also now have my data (again) and yes, it’s the correct data with honest answers to all questions.”

The security researcher added, “I don’t like that my data was exposed in this way but let us not lose focus on life’s bigger issues.”