Red Cross Data Breach: How 550,000 Australian Donors Were Exposed

In 2015, the Australian Red Cross contracted with a web development company called Precedent to create a new website. Unfortunately, the vendor left sensitive donor information from the Red Cross in a backup database on a public-facing website.

It wasn’t long before the website was identified by an anonymous individual who used an internet-scanning device to look for available SQL databases. This individual was then able to easily download a plain-text database containing donor information—which was more than 1.3 million rows long—without any nefarious hacking. The vendor has since admitted to the mistake (calling it “human error”) and the Australian Red Cross issued a statement apologizing for the breach.

Do you know how to keep “trusted” vendors from becoming cyber-breach enablers?

The first article published about the breach was from cybersecurity researcher Troy Hunt, who owns and operates a website called Have I Been Pwned? Hunt provides a service that allows users to search for their credentials in datasets obtained from high profile data breaches. He is frequently contacted by individuals with SQL databases containing personally-identifiable information (PII).

After the anonymous individual downloaded the donor information he contacted Hunt, who performed a series of steps to verify the breach. His blog post details this process. Interestingly, both he and his wife had given blood and were exposed in the breach, which helped him with the verification.

Takeaways From The Red Cross Data Breach

Consider the type of information your vendor will have access to.

What makes this breach particularly significant isn’t just that it’s

security ratings snapshot example

Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.

Get Your Rating
Button Arrow
the largest in the country's history. It’s also that the breach uncovered highly sensitive and personal information—like recent travel or risky behaviors that open the door to bloodborne diseases. With this in mind, companies should always remember to pay particular attention to the cybersecurity posture of key vendors who will be handling such information.

Examine potential third parties holistically.

While we don’t know why the Australian Red Cross chose Precedent as its vendor, cost may have been a factor. If the nonprofit was trying to cut costs, we could be seeing real fallout from that decision. This is an important lesson in making decisions about your third parties with many critical metrics in mind—including cybersecurity, not just cost.

Identify potential security issues before and during your vendor contract.

The Australian Red Cross hasn’t released any details regarding its security practices or internal safeguards. But if they had performed penetration tests or security assessments, Precendent’s poor security practice may have been caught early. Remember—if your company contracts with a vendor that doesn’t prioritize security, your data and information could be at risk.

In Conclusion

As we’ve stated before, it’s impossible to completely secure your organization against attack. But if you’re prepared, a data breach doesn’t have to spell catastrophe. One of the best ways to prepare is to continuously monitor your third parties to get a better understanding of the risk you’re absorbing daily.