Blood service apologises for donor data leak
The Australian Red Cross Lifeblood is apologising to donors for an error which allowed a back-up copy of an online enquiry database to be accessed by an unauthorised person.
Lifeblood Chief Executive Shelly Park said today that on 26 October the Lifeblood became aware that a file containing donor information was placed in an insecure environment by a third party that develops and maintains the Lifeblood’s website.
This file contained registration information of 550,000 donors made between 2010 and 2016. The file was part of an online application to give blood and information such as names, addresses, dates of birth and some personal details are included in the questionnaire.
This information was copied by a person scanning for security vulnerabilities who then, through an intermediary, informed the Australian Cyber Emergency Response Team (AusCERT) with whom the Lifeblood has membership.
With assistance of AusCERT, the Lifeblood took immediate action to address the problem. The Lifeblood has been in communication with the Australian Cyber Security Centre, the Australian Federal Police and reported this potential breach to the Office of the Australian Information Commissioner.
IDCARE, a national identity and cyber support service, has assessed the information accessed as of low risk of future direct misuse.
“To our knowledge all known copies of the data have been deleted. However investigations are continuing,” Ms Park said.
The online forms do not connect to our secure databases which contain more sensitive medical information. The Lifeblood continues to take a strong approach to cyber safety so donors and the Australian public can feel confident in using our systems.” Ms Park apologised unreservedly to the people who may be impacted.
“We are incredibly sorry to our donors. We are deeply disappointed this could happen. We take full responsibility and I assure the public we are doing everything in our power to not only right this but to prevent it from happening again,” Ms Park said.
“We need your continued support to donate blood and feel confident that this will not reoccur in the future.”
The Lifeblood is endeavouring to contact all people who made an application to be a blood donor on this site and inform them of this potential data breach.
“We have set up a hotline, website and email address to provide information for donors,” Ms Park said. “It is vitally important that people who generously want to give blood are not deterred by this – every Australian may need a blood transfusion at some time and we hope people will continue to make their contribution and to feel confident that their personal details will be protected.”