Red Cross Data Breach: How 550,000 Australian Donors Were Exposed

Ryan Heitsmith | November 10, 2016 | tag: Vendor Risk Management

In 2015, the Australian Red Cross contracted with a web development company called Precedent to create a new website. Unfortunately, the vendor left sensitive donor information from the Red Cross in a backup database on a public-facing website. 

It wasn’t long before the website was identified by an anonymous individual who used an internet-scanning device to look for available SQL databases. This individual was then able to easily download a plain-text database containing donor information—which was more than 1.3 million rows long—without any nefarious hacking. The vendor has since admitted to the mistake (calling it “human error”) and the Australian Red Cross issued a statement apologizing for the breach.

Do you know how to keep “trusted” vendors from becoming cyber-breach enablers?

The first article published about the breach was from cybersecurity researcher Troy Hunt, who owns and operates a website called Have I Been Pwned? Hunt provides a service that allows users to search for their credentials in datasets obtained from high profile data breaches. He is frequently contacted by individuals with SQL databases containing personally-identifiable information (PII).

After the anonymous individual downloaded the donor information he contacted Hunt, who performed a series of steps to verify the breach. His blog post details this process. Interestingly, both he and his wife had given blood and were exposed in the breach, which helped him with the verification.

Takeaways From The Red Cross Data Breach

Consider the type of information your vendor will have access to. 

What makes this breach particularly significant isn’t just that it’s IDG Trusted Vendors White Paperthe largest in the country's history. It’s also that the breach uncovered highly sensitive and personal information—like recent travel or risky behaviors that open the door to bloodborne diseases. With this in mind, companies should always remember to pay particular attention to the cybersecurity posture of key vendors who will be handling such information.

Examine potential third parties holistically.

While we don’t know why the Australian Red Cross chose Precedent as its vendor, cost may have been a factor. If the nonprofit was trying to cut costs, we could be seeing real fallout from that decision. This is an important lesson in making decisions about your third parties with many critical metrics in mind—including cybersecurity, not just cost.

Identify potential security issues before and during your vendor contract.

The Australian Red Cross hasn’t released any details regarding its security practices or internal safeguards. But if they had performed penetration tests or security assessments, Precendent’s poor security practice may have been caught early. Remember—if your company contracts with  a vendor that doesn’t prioritize security, your data and information could be at risk.

In Conclusion

As we’ve stated before, it’s impossible to completely secure your organization against attack. But if you’re prepared, a data breach doesn’t have to spell catastrophe. One of the best ways to prepare is to continuously monitor your third parties to get a better understanding of the risk you’re absorbing daily.

Suggested Posts

BitSight Integrates With ServiceNow to Reduce Risk Throughout Vendor Management Programs

Organizations rely on third-parties to keep competitive in the marketplace. The EY global third-party risk management survey highlights that in 2019–20, over 33% of the 246 global companies surveyed were managing and monitoring...

READ MORE »

5 Best Practices for Conducting Cyber Security Assessments

Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.

READ MORE »

5 Tips to Improve Cyber Security Monitoring of Your Vendors

What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by...

READ MORE »

Get the Weekly Cybersecurity Newsletter.