back to article Blood donors' privacy anaemic after Red Cross data breach

Australia's Red Cross has admitted to a significant data breach that saw haveibeenpwned.com sent a file containing records on 550,000 blood donors. The source of the file, or just who has been able to access it, are not known. Red Cross Australia chief executive Shelly Park says, in a canned statement, that "a back-up copy of …

  1. Kernel Silver badge

    What ???

    "Confusingly, the Red Cross says it is confident that all copies of the data are now in safe hands,"

    Perhaps someone needs to take their spokesperson aside and gently explain the difference between carbon copies and physical file folders, and the similarly named but totally different on-line variety.

    1. Adam 1 Silver badge

      Re: What ???

      Troy did a blog post on it. Apparently some guy for reasons unexplained was connecting to random IP addresses on port 80 to find those with directory browsing which exposed database backup files and helped him(presumably)self to it. He then shared it with Troy who worked with AUSCERT to get it dealt with quickly.

      Troy's argument was that since the organisation committed to actively contact those affected, since he had not shared it with anyone*1 and that the mystery guy promised he had not shared it with anyone else and promised to delete all copies he had personally*2, there were no further known copies of that data in the wild.

      Now unless the mystery guy was some "friend of a friend", I'd be a bit doubtful that all copies were wiped securely. I would have preferred he treat it as a sensitive breach (even if he withheld notifications for a few weeks to let RC notify through official channels everyone they can still locate) but hey, his bat and ball, his rules.

      *1 - I have completed confidence of that being true personally

      *2 - I am somewhat less confident in that assurance.

    2. Old Handle

      Re: What ???

      I see. I guess it's possible only good guys found database. If so they were very lucky, but I don't know how they can be so sure of this.

  2. allthecoolshortnamesweretaken

    Index cards, in locked file cabinets, in a locked room.

    A level of complexity most organisations can handle without major screwups.

    BTW, backup copies and keeping track of them: when the GDR went down, the MfS* made sure that the HVA** erased their files on agents in the west*** working for them (double agents, infiltration agents, people blackmailed into working for them, etc). However, sometime in the mid-1980ies the HVA had upgraded their computer systems and before doing so, they made a full backup of the data on the old systems. After the new systems were operational and had been fed the data from the old systems, both the old systems and the backup were destroyed. Due to an oversight, one of the redundant copies of the backup survived and was found while sifting through the Stasi's leftovers, so to speak. The tapes could be read with the help of a collector who had old Robotron mainframe gear (originally used by the GDR's post office) in his garage; actually the only surviving hardware capable of doing so.

    * Ministerium für Staatssicherheit (= Ministry of State Security), or "Stasi" for short.

    ** Hauptverwaltung Aufklärung. The department in charge of spying on foreign countries, run by Markus Wolf.

    *** They made damn sure however they didn't erase what they knew about their West German counterpart, the BND. Word is, the BND analysts viewing the material came pretty close to having heart attacks several times.

  3. Mark Solaris

    A better way of finding someone compatible than a RSVP dating profile.

  4. John Smith 19 Gold badge

    So the start of a nice little identity theft project ?

    Just the outline but handy should you need to set up a few hundred credit cards in a hurry.

  5. Denarius Silver badge
    FAIL

    developers, again

    rumour has it a data file was left on a publicly accessible web server by supplier to RC. Ah, the security and cost savings of of contracting out services and outsourcery. <sarcasm> But then I am sure that BranFlakes PanOpticon data snooping will reveal culprits. </sarcasm>

    1. RudderLessIT

      Re: developers, again

      If the rumour you heard is true, then once again, the biggest IT exposure has been people.

      What I don't understand is your comment on the RC outsourcing IT development projects. Whilst every organisation is now 100% reliant on IT, their core business isn't developing stuff - so why would they insource that?

  6. Anonymous Coward
    Anonymous Coward

    As a potential victim (and donor)

    This is inexcusable.

    Fail 101.

    I want to see some high level sackings.

    As for continuing as a donor, maybe not.

    1. Alan Brown Silver badge

      Re: As a potential victim (and donor)

      "As for continuing as a donor, maybe not."

      if enough donors say that publicaly, you may well get those high level sackings. (hint)

      1. Anonymous Coward
        Anonymous Coward

        Re: As a potential victim (and donor)

        While not wanting to turn down a high level sacking I would prefer the whole process that connected "data storage" to "external access" was discovered, then steps taken to ensure it did not happen again.

        A chopped head will be remembered for a while but is less valuable to donors than the potential changes that could ensure data security in the future.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019