The Red Cross data breach last year, which was termed as the largest data breach in Australian history, was caused by inappropriate handling of sensitive data by an employee at a third party service provider.
The Red Cross data breach exposed sensitive details of about 550,000 prospective blood donors, including their blood type and home addresses.
In September last year, cyber security expert Troy Hunt was notified by an unknown individual about the presence of large chunks of sensitive data belonging to hundreds of thousands of people in a public-facing web server with no encryption in place.
Hunt discovered that the sensitive data belonged to about 550,000 prospective blood donors who had registered with the Australian Red Cross. The data included names, home addresses, gender, email addresses, country of birth, blood type, phone numbers and other donation-related data.
Following his discovery, Hunt notified the Australian Cyber Emergency Response Team (AusCERT) of the data breach and the Red Cross society was then ordered to contain the breach.
Timothy Pilgrim, the Australian Information and Privacy Commissioner, said that the Red Cross did not take contractual measures or take reasonable steps to “ensure adequate security measures for personal information held for it by the relevant third party contractor”.
The data breach occurred after an employee at Precedent Communications, a third party service provider, uploaded data belonging to 550,000 blood donors to a public-facing web server instead of uploading them to a secure server.
“This incident is an important reminder that you cannot outsource privacy obligations. All organisations must put in place reasonable measures to ensure their third party providers’ compliance with appropriate privacy and data security practices and procedures,” said Pilgrim in a statement.
More and more large corporations have been found to endanger sensitive customer data in the recent past thanks to errors on part of employees or third party providers. Last month, sensitive details of 2.2 million Dow Jones customers were exposed on Amazon’s unprotected S3 cloud server following a configuration error on part of the company’s engineers.
Earlier this month, Meraki, a subsidiary of Cisco, inadvertently deleted large chunks of customer data following a configuration error from its engineering team as well.
According to security firm UpGuard, risky handling of customer data isn’t limited to small-scale and mid-level firms but can also be committed by ‘esteemed, well-known organizations occupying the upper echelons of the financial world’.
‘Enterprises must start regaining control over their IT systems to ensure easily preventable mistakes are caught quickly, or face a costly digital backlash,’ the firm added.
The UK government has announced that it is bringing in a new data protection law that will seek to protect customer data in the hands of organisations and penalise companies that fail to protect such data. Once the new law comes into effect, companies, especially large ones, will not be able to afford such mistakes since the Information Commissioner’s Office will be able to issue fines of up to £17m, or 4% of a company’s global turnover.
According to Greg Hanson, VP of EMEA cloud at Informatica, businesses need to implement powerful automated data management strategy and map out their entire databases since humans cannot process such data all the time with perfect accuracy. A simple uploading or configuration error on part of any employee may impact the organisation and its customers as a whole.