A 1.74GB MySQL database backup containing 1.3 million rows and 647 different tables from the Australian Red Cross was found to be publicly available in October 28, 2016.
The data originated from an online donor application form that contained details including name, gender, address, email, phone number, date of birth, country of birth, blood type, and other donation-related data, as well as appointments made.
At the time it was called the largest unintended release of personal data seen so far in Australia, but since then, it has also been called one of the best business responses to a crisis.
According to Red Cross Blood Services Australia executive director of donor services Janine Wilson, her organisation has learned a lot from the incident.
“We were a business that thought it was managing data pretty well, but what’s very clear to me now having gone through that is your actual IT security systems can be water tight, but there are people who operate them every day,” Wilson explained, adding that sometimes there are processes and personnel that aren’t always in concert that result in holes to security procedures that sometimes can’t be seen.
Speaking at the Oracle Modern Business Experience 2017 in Sydney on Thursday, Wilson explained that the Red Cross made a very quick and proactive decision to go public and did so as soon as they knew.
“It was our obligation to tell the 1.2 million donors that their data may have been breached and here’s what happened,” she said.
Red Cross was lucky that those affected by the breach have, generally speaking, forgiven the not-for-profit organisation.
“People responded to that honesty with a generous response, to be honest, there was a tiny minority of people who got pretty cranky — and fair enough — and we spoke with them on very personalised channels,” she explained.
“Blood donors are collectively a fairly loyal and forgiving lot … I think they were forgiving but I don’t think they would be again.”
Since October, Wilson said the Red Cross has strengthened a number of things within its organisation, including surveillance and how it manages data.
“Things like when a donor makes an online appointment on our web page, it used to be we held on to that information for a long time, there’s no need to hold onto it. And in fact, privacy requirements would say you don’t need to and therefore you shouldn’t, so now we only hold onto it for as long as we need to and then it gets deleted,” she explained.
“There are practices like that we can change in order to reduce the risk on all fronts that something like that could happen.”
Wilson reiterated that there is no fool proof system to avoid a breach, and that it is simply a case of when.
“Be really clear about what promise you have to whom and where your priorities are on data security, and I think our donors know what we stand for there and we’ve kept them updated,” she said.
“The noise has died down but it will no doubt surface again as we make other announcements about new solutions, and this, that, and the other, we’ll manage that as it comes.”
The Australian Privacy Commissioner is still preparing his report on the breach.
Source: SANS ISC SecNewsFeed @ May 4, 2017 at 02:42AM