On 26 October the Blood Service became aware a file containing donor information was placed in an insecure environment by a third party that develops and maintains the Blood Service’s website. This file contained registration information of 550,000 donors made between 2010 and 2016. Included in the file was information such as names, addresses and dates of birth.
This information was copied by a person scanning for security vulnerabilities who then, through an intermediary, informed the Australian Cyber Emergency Response Team (AusCERT) with whom the Blood Service has membership.
With assistance of AusCERT, the Blood Service took immediate action to address the problem. The Blood Service has been in communication with the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.
IDCARE, a national identity and cyber support service, has assessed the information accessed as of low risk of future direct misuse.
To our knowledge all known copies of the data have been deleted. However, investigations are continuing.
The online forms do not connect to our secure databases which contain more sensitive medical information.
The Blood Service continues to take a strong approach to cyber safety so donors and the Australian public can feel confident in using our systems.In the circumstances the organisations' knowledge of deletion of copies is unlikely to be exhaustive.
Information exposed through the breach (responses to the online blood donor appointment request form) encompasses answers to
- First and last name
- Address, Suburb, Postcode, State
- Mobile phone (optional)
- Email Donor ID (optional).
- Have you donated in the last 24 months?
- Postcode or suburb for donation
- Preferred date range request for donation, and preferred time of day
- Preferred location for donation
- Preferred appointment time
- Date of birth
- Gender
- In the 4 months leading up to your appointment, will you travel outside of Australia?
- Between 1980 and 1986, did you live in the UK for a cumulative period of 6 months?
- Are you feeling unhealthy or unwell?
- Are you taking antibiotics at the moment?
- Are you currently pregnant or have you been pregnant in the last 9 months?
- Have you had an operation or surgical procedure in the last 6 months?
- Are you planning any operations or surgical procedures in the next 3 months?
- In the last week, have you had any dental work, cleaning, fillings or extractions?
- In the last 4 months: Have you had a tattoo? Have you had a piercing?
- Do you weigh less than 50 kilograms?
- In the last 12 months, have you engaged in at-risk sexual behaviour?
A file containing donor information was placed in an insecure environment by a third party that develops and maintains the Blood Service’s website. This was a human error on the part of the third party service. This information was copied by a person scanning for security vulnerabilities who then, through an intermediary, informed AusCERT.
What are you doing about this?
Working with AusCERT, a cyber security organisation who provides information and security advice to us as a member of their service, we have managed to have all known copies of the archive deleted, and have removed the vulnerability from the web developer’s server. We’ve mobilised a team of security experts to conduct a forensic analysis of the incident. We are also establishing a taskforce including independent experts to conduct a thorough investigation of governance and security structures within the Blood Service.
How long was the data available?
At this stage we understand the data may have been available from 5 September 2016 to 25 October 2016. Our forensic experts are working to confirm the exact dates. To our knowledge, all known copies of the data have been deleted, however investigations are continuing.
When was the data accessed?
We believe the archive was accessed on 24 October 2016, our forensic experts are confirming this. We have managed to have all known copies deleted and have removed the vulnerability from the third party service that develops and maintains the Blood Service’s website.
Why should I trust you with my information?
We take the security of information our donors provide extremely seriously and have done everything in our power, since becoming aware of this situation, to address this security issue.
Is this the Blood Service's fault?
This was a human error on the part of the third party service that develops and maintains the Blood Service’s website. We take full responsibility for this mistake and apologise unreservedly to all affected. We take cyber security very seriously and we are deeply disappointed this occurred.
What actions are you taking?
Working with AusCERT we have managed to delete all known copies of the archive, and have removed the vulnerability from the third party service that develops and maintains the Blood Service’s website. We’ve mobilised a team of security experts to conduct a forensic analysis of the incident. We are also establishing a taskforce including independent experts to conduct a thorough investigation of governance and security structures within the Blood Service. IDCARE, a national identity and cyber support service, has assessed the information accessed as of low risk of future direct misuse. We are reviewing our arrangements with the third party provider.