Red Cross data breach that impacted 550,000 donors was caused by ‘human error’

Red Cross data breach that impacted 550,000 donors was caused by ‘human error’

Red Cross data breach that impacted 550,000 donors was caused by 'human error'

The Red Cross data breach last year, which was termed as the largest data breach in Australian history, was caused by inappropriate handling of sensitive data by an employee at a third party service provider.

The Red Cross data breach exposed sensitive details of about 550,000 prospective blood donors, including their blood type and home addresses.

In September last year, cyber security expert Troy Hunt was notified by an unknown individual about the presence of large chunks of sensitive data belonging to hundreds of thousands of people in a public-facing web server with no encryption in place.

Sensitive details of 2.2 million Dow Jones customers exposed on unprotected cloud storage

Hunt discovered that the sensitive data belonged to about 550,000 prospective blood donors who had registered with the Australian Red Cross. The data included names, home addresses, gender, email addresses, country of birth, blood type, phone numbers and other donation-related data.

Following his discovery, Hunt notified the Australian Cyber Emergency Response Team (AusCERT) of the data breach and the Red Cross society was then ordered to contain the breach.

Timothy Pilgrim, the Australian Information and Privacy Commissioner, said that the Red Cross did not take contractual measures or take reasonable steps to “ensure adequate security measures for personal information held for it by the relevant third party contractor”.

The data breach occurred after an employee at Precedent Communications, a third party service provider, uploaded data belonging to 550,000 blood donors to a public-facing web server instead of uploading them to a secure server.

Swedish Transport Agency data breach compromised personal data of millions of citizens

“This incident is an important reminder that you cannot outsource privacy obligations. All organisations must put in place reasonable measures to ensure their third party providers’ compliance with appropriate privacy and data security practices and procedures,” said Pilgrim in a statement.

More and more large corporations have been found to endanger sensitive customer data in the recent past thanks to errors on part of employees or third party providers. Last month, sensitive details of 2.2 million Dow Jones customers were exposed on Amazon’s unprotected S3 cloud server following a configuration error on part of the company’s engineers.

Earlier this month, Meraki, a subsidiary of Cisco, inadvertently deleted large chunks of customer data following a configuration error from its engineering team as well.

According to security firm UpGuard, risky handling of customer data isn’t limited to small-scale and mid-level firms but can also be committed by ‘esteemed, well-known organizations occupying the upper echelons of the financial world’.

Sensitive details of Bupa’s insurance customers breached by rogue employee

‘Enterprises must start regaining control over their IT systems to ensure easily preventable mistakes are caught quickly, or face a costly digital backlash,’ the firm added.

The UK government has announced that it is bringing in a new data protection law that will seek to protect customer data in the hands of organisations and penalise companies that fail to protect such data. Once the new law comes into effect, companies, especially large ones, will not be able to afford such mistakes since the Information Commissioner’s Office will be able to issue fines of up to £17m, or 4% of a company’s global turnover.

According to Greg Hanson, VP of EMEA cloud at Informatica, businesses need to implement powerful automated data management strategy and map out their entire databases since humans cannot process such data all the time with perfect accuracy. A simple uploading or configuration error on part of any employee may impact the organisation and its customers as a whole.

Copyright Lyonsdown Limited 2021

Top Articles

COO of network security firm indicted for hacking into hospital network

A 45-year-old Chief Operating Officer of network security company in Atlanta, Georgia was indicted this week for launching a cyber attack on Gwinnett Medical Center.

McDonald's data breach: Employee and customer data stolen by hackers

McDonald's suffered a data breach that compromised the personal information of customers in South Korea and Taiwan and business contact information of some US employees.

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Related Articles

[s2Member-Login login_redirect=”” /]