550,000 blood donors exposed online in Red Cross data breach

Personal details of over half a million Red Cross blood donors has been leaked online in a mass security breach in Australia.

The breach meant 550,000 citizens (out of 1.3 million available records) had private information such as their address, contact details, blood type and details of previous donations posted online by an "unauthorised person."

The information compromised also includes whether or not the individual had taken drugs or engaged in "at-risk sexual behaviour" such as sex work and gay male sex.

The now-removed donor file included information as far back as 2010 and the incident has been blamed on "human error."

The organisation explained that the compromised file was a back-up of the enquiry form available on the Australian Red Cross Blood Service website, with chief executive Shelly Park telling reporters on Friday "we learned that a file, containing donor information, which was located on a development website, was left unsecured by a contracted third party who develops and maintains our website."

She explained the file was taken offline and the incident is now subject to a forensic investigation.

This Tweet is currently unavailable. It might be loading or has been removed.

"I wish to stress that this file does not contain the deep personal records of people’s medical history or of their test results. We are notifying donors as early as we believe we can, and we are notifying donors today," Park said.

The Red Cross has also released a statement online explaining that they are working with cyber security organisation AusCERT to delete "all known copies" of the archive online. However, finding out exactly who was able to copy the data before it was take offline seems more challenging.

"We are deeply disappointed this could happen. We take full responsibility for this mistake and apologise unreservedly," said Parks.

The data was reportedly available online from Sept. 5, 2016, until this Wednesday, when it was discovered and removed.

Security expert Troy Hunt, who runs the website Have I Been Pwned, was highly critical of the data breach online, calling it the country’s "largest ever leak of personal data."

After being "tipped off," it was Hunt who originally discovered the "1.76GB worth of data from donateblood.com.au," saying it would have been all too easy for somebody to access.

"The database backup was published to a publicly facing website. This is really the heart of the problem because no way, no how should that ever happen," Hunt said.

"There is no good reason to place database backups on a website, let alone a publicly facing one. There are many bad reasons (usually related to convenience), but no good ones."

Hunt has also used his blog to explain that the incident shouldn't mean the public stops donating precious blood to people in need. "[I] want to make it abundantly clear up front that this should not discourage anyone from giving blood in the future because as important as this incident is, it pales in comparison to making a donation that could save lives," he said.

If you believe your personal details may have been compromised by the Australia Red Cross data breach, you can contact them here.