‘Here’s your personal data’: how an anonymous tipoff revealed Red Cross breach
A Microsoft regional director and security developer, Troy Hunt, was contacted early on Tuesday morning by an anonymous person on Twitter who told him he had obtained personal information about him and his wife.
“This guy reached out to me and said, ‘Here’s your personal data,’” Hunt said.
“There was my name, my email, my phone number, my data of birth, and information about when I had last donated blood.”
It didn’t take Hunt long to figure out that the data had come from a form he had filled out online through the Red Cross blood donation form.
On Friday the Red Cross Blood Service chief executive, Shelly Park, admitted at a media conference in Melbourne that the data of more than half a million blood donors across Australia had been compromised in a massive security breach, and accessed by an “unauthorised person”.
“We learned that a file, containing donor information, which was located on a development website, was left unsecured by a contracted third party who develops and maintains our website,” Park said.
Hunt, who founded the website haveibeenpwned.com, said the information about his wife provided to him by the man was even more concerning. She had donated blood many more times than he had and there was more information available about her.
“Her blood type was in there,” Hunt said. “The details provided by people through the questionnaire were mostly benign, I suppose, things like, ‘Are you are you under 50kg?’ and, ‘Have you had dental procedures?’ The one which stands out though is, ‘Have you had any risky sexual activity in the last 12 months?’”
The man ended up sending Hunt the entire 1.74 GB file he had obtained. Realising how serious the situation was, Hunt immediately contacted AusCERT, a leading computer emergency response team that provides security advice to the Australian public service and not-for-profit sector.
AusCert has now helped the Red Cross Blood Service to contain the data.
“I also asked the person who sent the file to me to delete it immediately,” Hunt said. “He immediately complied. He even screen-capped his delete process showing him deleting.
“Of course, he could have made other copies. I also asked him point blank if he had passed it on and he said no, he had not.
“All we can do is take him at his word. There is also no evidence he had any malicious intent. There are a lot of people who just scan the internet for information like this. He would have had some software to do this and he would have just been trawling around to see what he could find.”
Cyber security experts have told the blood service that the risk of the data being misused was low, and those affected have been told.
But Dr Vanessa Teague, a senior lecturer at the department of computing and information systems at the University of Melbourne’s school of engineering, said that reassurance was “cold comfort”.
“If one person noticed this data could be accessed, you have no idea how many other people also noticed it but chose not to notify anyone,’ she said.
“The other thing is that the scientific literature always talks about deidentification of data. But what people try to do is link multiple different data sets together to break people’s privacy.
“So one of the worst things about this is the possibility that other data sets that might have been privacy-preserving on their own might be more at risk because of the extra clues given in this blood data set, such as names and addresses, that wouldn’t normally be part of a deidentified data set.”
Those affected by the data breach have been sent a text message that reads: “The Blood Service has identified a potential data issue that may affect you,” with a link to the service’s website for more information.
Chris Culnane, a University of Melbourne programming languages and human-computer interaction expert, said it was worth pointing out that those who completed the Red Cross online questionnaire had done so so before filling out their personal details.
“If you answer any of the questions [such as, ‘Have you had a tattoo in last four months?’ and, ‘Are you pregnant or have you just given birth?’] in the affirmative, you are declined with no further questions being asked and no personal details being taken.
“So I assume that the data collected is only from people who have answered no to all of the questions. Due to the structure of the quiz, the linking would have to be on the negation of the answers.”
Source | theguardian