Businesses are being warned to keep track of sensitive customer data after Australia experienced its largest data breach to date last Friday.
Last week it was revealed that records of close to 1.3 million Red Cross blood donors were leaked online in the form of a single database file.
Cyber security expert and Microsoft regional director Troy Hunt, who had been notified of the leak via an anonymous source, broke the news.
Hunt runs an online service called HaveIBeenPwned, which allows users to check if their data has been leaked online, and an anonymous tipster alerted Hunt to the availability of the records.
“I was notified by an anonymous Twitter account on Tuesday morning, who proceeded to provide me with a lot of my own sensitive data,” Hunt told SmartCompany.
“Once he provided me with a copy of the data, I was able to look up my wife’s which confirmed the legitimacy of the leak.”
Hunt then notified the Australian Computer Emergency Response Team (AusCERT), who then informed the Red Cross.
The data was retrieved through a script that had been run by the anonymous source. This script ran through unique IP addresses that every computer broadcasts, searching for publicly available files.
When files were located, the script then searched for SQL type files, which are almost always associated with databases. It was through this method that the Red Cross database was uncovered.
Despite the significance of the breach, the data was not leaked through specialist criminal means. The user who found the data was not engaging in any openly illegal activity, though Hunt believes it’s a “grey area”.
“On one hand, he was connecting to public and openly available web servers, which is fine,” Hunt says.
“On the other hand, he was looking for database files, which are not put on these public servers intentionally. He was looking for people who had made mistakes.”
An “alarmingly common” mistake
These types of mistakes are “alarmingly common” says Hunt, and only occur when someone has “fundamentally screwed up”.
“On one end of the spectrum, we have increasingly sophisticated and impressive attacks occurring worldwide, and at the other end, we have people publishing databases publicly on the web.”
For businesses that may have sensitive customer information, Hunt’s best advice is to not post them on publicly available websites. Often this is done for convenience’s sake, says Hunt, as a way to share the data with co-workers or clients.
“If you need to share the data, make sure it is encrypted and that it has authorisation controls,” he says.
“Even just putting it on a USB drive and manually transferring it to them is a better method.”
Along with being Australia’s largest ever data leak, the records leaked include highly sensitive information. The database included names, physical and email addresses, phone numbers, dates of birth, and blood types of those who had donated to the Red Cross since 2010.
However, as Hunt outlines on his blog, the number of unique donors actually affected by the leak is much less than 1.3 million. Due to many donating more than once, Hunt estimates that only 550,000 individuals would have had their details leaked.
One section of the data included donor eligibility answers, including the question, “In the last 12 months, have you engaged in at-risk sexual behaviour?” The sensitive nature of this question has many worried about any potential copies of the data that others may have.
Hunt says he doesn’t know who else has the data but is confident that his anonymous source has behaved ethically and deleted his copy.
“I haven’t seen any chatter on online forums about the data, so we are as confident as we can be that no one else has access to the database,” Hunt says.
In a statement, Red Cross chief executive Shelly Park apologised for the leak, saying the service was “deeply disappointed this could happen”.
“We take full responsibility and I assure the public we are doing everything in our power to not only right this but to prevent it from happening again,” Park said.
“We need your continued support to donate blood and feel confident that this will not reoccur in the future.”
The Red Cross believes that all know copies of the data have been deleted, but it continues to work with AusCERT and the Australian Federal Police to determine if more copies of the database are available.
How to deal with a data breach
For businesses dealing with data breaches, head of legal at LawPath Dominic Woolrych told SmartCompany the Privacy Act provides clear guidelines on what action to take.
The Privacy Act only governs government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million.
Some small businesses that also have to comply with the Privacy Act including health service providers, personal information traders, and other businesses meeting conditions covered in this list.
“Firstly you need to contain the breach and determine how the breach occurred. If a business knows or suspects it has been breached, it’s good practice to take your servers offline or cut off staff access until the issue is resolved,” Woolrych says.
Woolrych warns that staff are often weak points when it comes to data breaches and that business should endeavor to make staff aware that breaches can happen.
“It’s best to get people across the fact that this can happen, both your staff and your shareholders,” he says.
Once a business has determined a breach has occurred, it is important to know how much data has been leaked.
“You need to determine how big breach was and how much has been taken,” Woolrych says.
“Unfortunately in this situation, there was lots taken, most alarmingly blood types and information about at risk sexual behaviour. Under the Privacy Act if there is a real risk of serious harm, then businesses can get in serious trouble.”
Finally, Woolrych advises businesses to notify their customers, even though it is currently not compulsory to notify them under the Privacy Act.
“It is good practice to notify your customers, and the most common thing to do is notify under normal means of notification, which is whatever you usually contact clients by.”