Red Cross Data Breach: How 550,000 Australian Donors Were Exposed
Ryan Heitsmith | November 10, 2016
In 2015, the Australian Red Cross contracted with a web development company called Precedent to create a new website. Unfortunately, the vendor left sensitive donor information from the Red Cross in a backup database on a public-facing website.
It wasn’t long before the website was identified by an anonymous individual who used an internet-scanning device to look for available SQL databases. This individual was then able to easily download a plain-text database containing donor information—which was more than 1.3 million rows long—without any nefarious hacking. The vendor has since admitted to the mistake (calling it “human error”) and the Australian Red Cross issued a statement apologizing for the breach.
The first article published about the breach was from cybersecurity researcher Troy Hunt, who owns and operates a website called Have I Been Pwned? Hunt provides a service that allows users to search for their credentials in datasets obtained from high profile data breaches. He is frequently contacted by individuals with SQL databases containing personally-identifiable information (PII).
After the anonymous individual downloaded the donor information he contacted Hunt, who performed a series of steps to verify the breach. His blog post details this process. Interestingly, both he and his wife had given blood and were exposed in the breach, which helped him with the verification.
Takeaways From The Red Cross Data Breach
Consider the type of information your vendor will have access to.
What makes this breach particularly significant isn’t just that it’s the largest in the country's history. It’s also that the breach uncovered highly sensitive and personal information—like recent travel or risky behaviors that open the door to bloodborne diseases. With this in mind, companies should always remember to pay particular attention to the cybersecurity posture of key vendors who will be handling such information.
Examine potential third parties holistically.
While we don’t know why the Australian Red Cross chose Precedent as its vendor, cost may have been a factor. If the nonprofit was trying to cut costs, we could be seeing real fallout from that decision. This is an important lesson in making decisions about your third parties with many critical metrics in mind—including cybersecurity, not just cost.
Identify potential security issues before and during your vendor contract.
The Australian Red Cross hasn’t released any details regarding its security practices or internal safeguards. But if they had performed penetration tests or security assessments, Precendent’s poor security practice may have been caught early. Remember—if your company contracts with a vendor that doesn’t prioritize security, your data and information could be at risk.
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...
During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...