Vendor Risk Management

Red Cross Data Breach: How 550,000 Australian Donors Were Exposed

Ryan Heitsmith | November 10, 2016

In 2015, the Australian Red Cross contracted with a web development company called Precedent to create a new website. Unfortunately, the vendor left sensitive donor information from the Red Cross in a backup database on a public-facing website. 

It wasn’t long before the website was identified by an anonymous individual who used an internet-scanning device to look for available SQL databases. This individual was then able to easily download a plain-text database containing donor information—which was more than 1.3 million rows long—without any nefarious hacking. The vendor has since admitted to the mistake (calling it “human error”) and the Australian Red Cross issued a statement apologizing for the breach.

Do you know how to keep “trusted” vendors from becoming cyber-breach enablers?

The first article published about the breach was from cybersecurity researcher Troy Hunt, who owns and operates a website called Have I Been Pwned? Hunt provides a service that allows users to search for their credentials in datasets obtained from high profile data breaches. He is frequently contacted by individuals with SQL databases containing personally-identifiable information (PII).

After the anonymous individual downloaded the donor information he contacted Hunt, who performed a series of steps to verify the breach. His blog post details this process. Interestingly, both he and his wife had given blood and were exposed in the breach, which helped him with the verification.

Takeaways From The Red Cross Data Breach

Consider the type of information your vendor will have access to. 

What makes this breach particularly significant isn’t just that it’s IDG Trusted Vendors White Paperthe largest in the country's history. It’s also that the breach uncovered highly sensitive and personal information—like recent travel or risky behaviors that open the door to bloodborne diseases. With this in mind, companies should always remember to pay particular attention to the cybersecurity posture of key vendors who will be handling such information.

Examine potential third parties holistically.

While we don’t know why the Australian Red Cross chose Precedent as its vendor, cost may have been a factor. If the nonprofit was trying to cut costs, we could be seeing real fallout from that decision. This is an important lesson in making decisions about your third parties with many critical metrics in mind—including cybersecurity, not just cost.

Identify potential security issues before and during your vendor contract.

The Australian Red Cross hasn’t released any details regarding its security practices or internal safeguards. But if they had performed penetration tests or security assessments, Precendent’s poor security practice may have been caught early. Remember—if your company contracts with  a vendor that doesn’t prioritize security, your data and information could be at risk.

In Conclusion

As we’ve stated before, it’s impossible to completely secure your organization against attack. But if you’re prepared, a data breach doesn’t have to spell catastrophe. One of the best ways to prepare is to continuously monitor your third parties to get a better understanding of the risk you’re absorbing daily.

Suggested Posts

Do You Have The Right Vendor Management Policies?

If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...

READ MORE »

3 Ways To Make Your Vendor Lifecycle More Efficient

During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...

READ MORE »

How To Mature Your Vendor Risk Management Program

There are layers of uncertainty plaguing security professionals when it comes to the time, money, and energy they spend focusing on their third-party risk management systems. Without the proper tools and analysis, it is hard to know if...

READ MORE »

Subscribe to get security news and updates in your inbox.