Security flaws on the organisation’s website led to personal data bleeding out after a basic hack attack
Hackers have breached and leaked personal data from Australia’s Red Cross Blood Service, leading to the details of 550,000 donors being exposed.
The breach, detailed by security expert Troy Hunt, is the biggest data leak Australia has suffered, and revealed the email addresses, gender, date of birth, phone number and blood donation date of the organisation’s donors between 2010 and 2016.
Blood donor data loss
Rather than the more vicious SQL injection attacks which lead to such breaches, Hunt noted that the hacker appeared to have simply scanned Internet IP addresses to look for exposed web servers that returned directory listings
“This is literally as simple as going to an address such as http://127.0.0.1 and seeing a list of all the files on the system (sample address only). He’d then look to see if any of those files contained a .sql extension which would indicate a database backup… and that is all,” said Hunt.
The data leak stemmed from a database backup published to a publicly facing website, something Hunt said should not be done as there is no good reason to have such a database on a website, let alone a public one, other than for convenience. Furthermore, it was exposed by having directory browsing enabled on the site.
“The database backup should never have been there in the first place, but it’s highly unlikely it would have been found without directory browsing enabled (the file name would not have been easily guessed, it wasn’t as obvious as something like “database.sql”). Showing a public listing of the file contents of the server is a well-known risk and there’s rarely a valid justification for this, precisely for the sorts of reasons demonstrated with this incident,” Hunt explained.
All this points towards flaws in the Australian Red Cross Blood Service’s IT security, to the extent that The Guardian reported the organisation had explained the breach was down to human error.
“We learned that a file, containing donor information, which was located on a development website, was left unsecured by a contracted third party who develops and maintains our website,” said Australian Red Cross Blood Service chief executive Shelly Park. “The issue occurred due to human error. Consequently, this file was accessed by a person outside of our organisation.”
Park apologised for the data leak but stressed it did not include any medical information belonging to the donors. However, the leak of personal email addresses and information means hundreds of thousands of donors will need to be on alert to phishing scams targeted at them based on the leaked data.
Shore up security
By making the backup convenient to access the Australian Red Cross Blood Service essentially exposed its data to opportunistic hackers. Mark James, security specialist at ESET noted this situation could be avoided with a more savvy and modern approach to IT security.
“Protecting your data is an accumulation of many things, multi-layered defence is made up from security software, hardware, education and the expertise to meld them all into one. Ensuring corners are not cut or shortcuts are not in place is all part of securing your data,” he said.
“Ensuring your software is patched and up to date is one of the biggest failings. Many webservers are using outdated software that still has vulnerabilities or flaws waiting to be exploited.
“With software available to scan multiple IP addresses looking for certain types of files most of the hard work has already been done for the attacker. If the correct authentication methods were in place and periodic security reviews on all servers holding or handling our private data then a lot of these breaches would not have happened.”
Data breaches are becoming bigger, more damaging and increasingly high profile as the years march on; the latest major breach suffered by Yahoo has had the effect of putting its acquisition by Verizon at risk.
Alarmingly, even the police could be behind data breaches, showing organisations that it is not just hackers they should be concerned about.
Take our data breaches of 2015 quiz here!