Blood donors' privacy anaemic after Red Cross data breach Australia's Red Cross has admitted to a significant data breach that saw haveibeenpwned.com sent a file containing records on 550,000 blood donors. The source of the file, or just who has been able to access it, are not known. Red Cross Australia chief executive Shelly Park says, in a canned statement, that "a back-up copy of …
"Confusingly, the Red Cross says it is confident that all copies of the data are now in safe hands,"
Perhaps someone needs to take their spokesperson aside and gently explain the difference between carbon copies and physical file folders, and the similarly named but totally different on-line variety.
Troy did a blog post on it. Apparently some guy for reasons unexplained was connecting to random IP addresses on port 80 to find those with directory browsing which exposed database backup files and helped him(presumably)self to it. He then shared it with Troy who worked with AUSCERT to get it dealt with quickly.
Troy's argument was that since the organisation committed to actively contact those affected, since he had not shared it with anyone*1 and that the mystery guy promised he had not shared it with anyone else and promised to delete all copies he had personally*2, there were no further known copies of that data in the wild.
Now unless the mystery guy was some "friend of a friend", I'd be a bit doubtful that all copies were wiped securely. I would have preferred he treat it as a sensitive breach (even if he withheld notifications for a few weeks to let RC notify through official channels everyone they can still locate) but hey, his bat and ball, his rules.
*1 - I have completed confidence of that being true personally
*2 - I am somewhat less confident in that assurance.
Index cards, in locked file cabinets, in a locked room.
A level of complexity most organisations can handle without major screwups.
BTW, backup copies and keeping track of them: when the GDR went down, the MfS* made sure that the HVA** erased their files on agents in the west*** working for them (double agents, infiltration agents, people blackmailed into working for them, etc). However, sometime in the mid-1980ies the HVA had upgraded their computer systems and before doing so, they made a full backup of the data on the old systems. After the new systems were operational and had been fed the data from the old systems, both the old systems and the backup were destroyed. Due to an oversight, one of the redundant copies of the backup survived and was found while sifting through the Stasi's leftovers, so to speak. The tapes could be read with the help of a collector who had old Robotron mainframe gear (originally used by the GDR's post office) in his garage; actually the only surviving hardware capable of doing so.
* Ministerium für Staatssicherheit (= Ministry of State Security), or "Stasi" for short.
** Hauptverwaltung Aufklärung. The department in charge of spying on foreign countries, run by Markus Wolf.
*** They made damn sure however they didn't erase what they knew about their West German counterpart, the BND. Word is, the BND analysts viewing the material came pretty close to having heart attacks several times.
rumour has it a data file was left on a publicly accessible web server by supplier to RC. Ah, the security and cost savings of of contracting out services and outsourcery. <sarcasm> But then I am sure that BranFlakes PanOpticon data snooping will reveal culprits. </sarcasm>
If the rumour you heard is true, then once again, the biggest IT exposure has been people.
What I don't understand is your comment on the RC outsourcing IT development projects. Whilst every organisation is now 100% reliant on IT, their core business isn't developing stuff - so why would they insource that?
While not wanting to turn down a high level sacking I would prefer the whole process that connected "data storage" to "external access" was discovered, then steps taken to ensure it did not happen again.
A chopped head will be remembered for a while but is less valuable to donors than the potential changes that could ensure data security in the future.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
