Australia’s biggest data breach, involving 1.3 million records collected by the Red Cross..not quite the world beating Yahoo data breach earlier this year but very significant
October 28, 2016 |
Another day, another massive data breach. This time an Australian record with more than a million personal and medical records of people donating blood to the Australian Red Cross having their information exposed on line.
The Red Cross issued a fairly comprehensive statement which provides:
A note from the Blood Service Chief Executive and the Chair
To everyone who has been impacted
Thank you for taking the time to come to this website to find out more information about this situation.
We are deeply disappointed this could happen. We take full responsibility for this mistake and apologise unreservedly.
We would like to assure you we are doing everything in our power to not only right this but to prevent it from happening again.
We know people will have a lot of questions and we’ve established this dedicated page to provide you with the information we have regarding the situation, answers to any frequently asked questions and outline the avenues that are available to you if you would like further support or information.
Once again we would like to sincerely apologise for what has happened and we appreciate your continued support by donating blood.
Sincerely,
Jim Birch
Chair
Shelly Park
Chief Executive
What happened?
On 26 October the Blood Service became aware a file containing donor information was placed in an insecure environment by a third party that develops and maintains the Blood Service’s website. This file contained registration information of 550,000 donors made between 2010 and 2016. Included in the file was information such as names, addresses and dates of birth.
This information was copied by a person scanning for security vulnerabilities who then, through an intermediary, informed the Australian Cyber Emergency Response Team (AusCERT) with whom the Blood Service has membership.
With assistance of AusCERT, the Blood Service took immediate action to address the problem. The Blood Service has been in communication with the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.
IDCARE, a national identity and cyber support service, has assessed the information accessed as of low risk of future direct misuse.
To our knowledge all known copies of the data have been deleted. However, investigations are continuing.
The online forms do not connect to our secure databases which contain more sensitive medical information. The Blood Service continues to take a strong approach to cyber safety so donors and the Australian public can feel confident in using our systems.
What do I do now?
We understand people will be concerned about this and have established an inbox for people to access further information or ask questions. A dedicated hotline has also been established if you would like to speak with one of our staff.
Hotline: 13 95 96
Email: data@redcrossblood.org.au
We have also arranged access to IDCARE, a national identity and cyber support service, who can provide counselling support from specialist counsellors and information on additional responses that may be unique to your own situation.
If you would like to access these services please call 1300 432 273 or visit www.idcare.org.
Although IDCARE assessed the information accessed as of low risk of future direct misuse, there is always a risk that individuals could be contacted by cyber criminals and scammers via email and telephone (including SMS).
FAQs
How did this happen?
A file containing donor information was placed in an insecure environment by a third party that develops and maintains the Blood Service’s website. This was a human error on the part of the third party service. This information was copied by a person scanning for security vulnerabilities who then, through an intermediary, informed AusCERT.
What are you doing about this?
Working with AusCERT, a cyber security organisation who provides information and security advice to us as a member of their service, we have managed to have all known copies of the archive deleted, and have removed the vulnerability from the web developer’s server. We’ve mobilised a team of security experts to conduct a forensic analysis of the incident. We are also establishing a taskforce including independent experts to conduct a thorough investigation of governance and security structures within the Blood Service.
How long was the data available?
At this stage we understand the data may have been available from 5 September 2016 to 25 October 2016. Our forensic experts are working to confirm the exact dates. To our knowledge, all known copies of the data have been deleted, however investigations are continuing.
When was the data accessed?
We believe the archive was accessed on 24 October 2016, our forensic experts are confirming this. We have managed to have all known copies deleted and have removed the vulnerability from the third party service that develops and maintains the Blood Service’s website.
Why should I trust you with my information?
We take the security of information our donors provide extremely seriously and have done everything in our power, since becoming aware of this situation, to address this security issue.
Is this the Blood Service’s fault?
This was a human error on the part of the third party service that develops and maintains the Blood Service’s website. We take full responsibility for this mistake and apologise unreservedly to all affected. We take cyber security very seriously and we are deeply disappointed this occurred.
What actions are you taking?
Working with AusCERT we have managed to delete all known copies of the archive, and have removed the vulnerability from the third party service that develops and maintains the Blood Service’s website. We’ve mobilised a team of security experts to conduct a forensic analysis of the incident. We are also establishing a taskforce including independent experts to conduct a thorough investigation of governance and security structures within the Blood Service. IDCARE, a national identity and cyber support service, has assessed the information accessed as of low risk of future direct misuse. We are reviewing our arrangements with the third party provider.
Are the other Blood Service systems adequately protected?
This is an extremely high priority within the organisation. There are always threats and vulnerabilities to IT security and they are constantly changing. As a result we continue to monitor our controls and modify them to address emerging vulnerabilities and threats in order to secure our internal systems and data.
Who can donors speak to for more information (hotline)?
In the first instance, please seek further information from our website info.donateblood.com.au or call our hotline (PH: 13 95 96) or email us on data@redcrossblood.org.au. We have also arranged access to IDCARE, a national identity and cyber support service, who can provide counselling support from specialist counsellors and information on additional responses that may be unique to your own situation. If you would like to access these services please call 1300 432 273 or visit www.idcare.org.
This has prompted an unusually prompt response by the Australian Privacy Commissioner to issue a statement providing:
The Australian Red Cross Blood Service has advised my office of a data breach from the DonateBlood website. In doing so, Red Cross has provided details of what occurred and steps taken to contain the breach. I welcome their prompt actions to prevent any further disclosure of this highly sensitive personal information.
My office encourages voluntary notification of data breaches, particularly where there is a risk to an individual as a result of a breach. This is good privacy practice as it gives individuals the opportunity to take proactive steps to protect their personal information and also helps to protect an organisation’s reputation by displaying transparency.
I will be opening an investigation into this matter and will work with the Red Cross to assist them in addressing the issues arising from this incident. The results of that investigation will be made public at its conclusion.
This is reported by itnews in Australia’s biggest data breach sees 1.3m records leaked which provides:
More than one million personal and medical records of Australian citizens donating blood to the Red Cross Blood Service have been exposed online in the country’s biggest and most damaging data breach to date.
A 1.74 GB file containing 1.28 million donor records going back to 2010, published to a publicly-facing website, was discovered by an anonymous source and sent to security expert and operator of haveibeenpwned.com Troy Hunt early on Tuesday morning.
The database was uncovered through a scan of IP address ranges configured to search for publicly exposed web servers that returned directory listings containing .sql files.
The contents of the ‘mysqldump’ database backup contains everything from personal details (name, gender, physical and email address, phone number, date of birth and occasionally blood type and country of birth) to sensitive medical information, like whether someone has engaged in at-risk sexual behaviour in the last year.
The database collected information submitted when an individual books an appointment – either on paper or online – to donate blood. The process requires donors to enter their personal details and fill out an eligibility questionnaire.
It does not contain data on blood reports or analyses, or responses to the full donor questionnaire all blood bank visitors are required to fill out at the time of their donation.
The database was published on the webserver of a Red Cross Blood Service technology partner that maintains the service’s website, not the organisation’s www.donate.blood.com.au site where online bookings are made.
“This is a seriously egregious cock-up – this should never happen,” Hunt told iTnews.
“There are no good reasons to put database backups on a publicly-facing website.” The issue was compounded by the fact that directory browsing was enabled on the server, he said.
The file was removed on Wednesday. Hunt said there was no evidence of it having been accessed by anyone else, and both he and the anonymous source had deleted their copies.
Australia’s computer emergency response team, AusCERT, has been working with the Red Cross after being notified to the breach by Hunt on Tuesday.
The Red Cross indicated around 550,000 individual donors were impacted.
It attributed the issue to “human error” and said it was “deeply disappointed” to be in this position.
The service has started notifying affected donors today.
“We are extremely sorry and deeply disappointed to have put our donors in this position. We apologise and take full responsibility for this,” Red Cross Blood Service chief executive Shelly Park.
“I want to assure our valued donors that we are doing absolutely everything to right this, and we will ensure that we are in the position that this will never happen again.”
The total amount of records makes the breach the largest ever leak of personal data in Australia, vastly surpassing similar breaches at the likes of Kmart, David Jones, Aussie Farmers Direct and Catch of the Day.
It is also the first time sensitive medical details of Australian citizens have been leaked online at scale.
However, Hunt said he did not want the breach to discourage people from donating blood and potentially impacting Australia’s crucial blood supply.
“The bigger picture here is that this is lifesaving stuff,” he told iTnews.
“I’ve registered an appointment for Monday through the site and entered all my legitimate information to try and encourage people to donate.”
Update: Privacy Commissioner Timothy Pilgrim has said he will investigate the breach and make his findings public.
“I welcome [the Red Cross’] prompt actions to prevent any further disclosure of this highly sensitive personal information,” he said in a statement.
“My office encourages voluntary notification of data breaches, particularly where there is a risk to an individual as a result of a breach. This is good privacy practice as it gives individuals the opportunity to take proactive steps to protect their personal information and also helps to protect an organisation’s reputation by displaying transparency.”
No doubt the cause of the data breach will become clear but from the statement it is clear are real issues with the quality of the data security systems that the Australian Red Cross in place. It was a third party that detected the breach. For an organisation that holds highly sensitive information that is a real breakdown in cyber security standards.
In terms of number of files lost this breach is dwarfed by Yahoo’s new, depressing, record for loss of data with 500 million yahoo accounts breached. announced on 22 September 2016.
Yahoo’s statement provides:
SUNNYVALE, Calif.–(BUSINESS WIRE)–A recent investigation by Yahoo! Inc. (NASDAQ:YHOO) has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.
Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven’t changed their passwords since 2014 do so.
Yahoo encourages users to review their online accounts for suspicious activity and to change their password and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account. The company further recommends that users avoid clicking on links or downloading attachments from suspicious emails and that they be cautious of unsolicited communications that ask for personal information. Additionally, Yahoo asks users to consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.
Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry. Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account. Since the inception of Yahoo’s program in December 2015, independent of the recent investigation, approximately 10,000 users have received such a notice.
Additional information will be available on the Yahoo Security Issue FAQs page, https://yahoo.com/security-update, beginning at 11:30 am Pacific Daylight Time (PDT) on September 22, 2016.
The reportage has been extensive and damaging to Yahoo with USA today, as an example, reporting in 500 million Yahoo accounts breached that:
SAN FRANCISCO — Information from at least 500 million Yahoo accounts was stolen from the company in 2014, the company said Thursday, indicating it believes a state-sponsored actor was behind the hack.
The theft may have included names, email addresses, telephone numbers, dates of birth, and in some cases, encrypted or unencrypted security questions and answers, Yahoo said.
Even in an Internet-dependent population accustomed to the regular occurrence of massive data breaches, the size of this one — thought to be the largest ever in terms of user accounts — is attention-grabbing. And the possibility that another country could be behind the attack adds to the shock factor.
The FBI said it was aware of the intrusion and is investigating the matter but did not give any information about whether it had specific insight into who might have been behind the attack.
“We take these types of breaches very seriously and will determine how this occurred and who is responsible,” the agency said in an emailed statement Thursday.
Claims surfaced in early August that a hacker using the name “Peace” was trying to sell personal information of Yahoo account users on the dark web — a black market of thousands of secret websites.
Reset passwords
Yahoo, which says about 1 billion people globally engage with one of its properties each month, said it was notifying potentially affected users and taking steps to secure their accounts, such as invalidating unencrypted security questions and answers. Users who haven’t changed their passwords since 2014 should do so, it said.
About 250 million use Yahoo Mail, while another 81 million use Yahoo Finance and tens of millions use Yahoo Fantasy Sports.
The Sunnyvale, Calif. company is also reaching out to users of Flickr, the 113-million-user photo-sharing service whose accounts may have been linked to their Yahoo IDs. No accounts on Yahoo-owned blogging site Tumblr should be affected.
Verizon sale in progress
The announcement comes at an awkward time for Yahoo. Pressured by investor activists disgruntled by stagnating growth under CEO Marissa Mayer, the company engaged in a multi-month sales process, culminating in a July deal to sell its core Internet business to media giant Verizon Communications. The $4.8 billion deal is expected to close in the first quarter of next year.
Verizon said it was notified of the Yahoo breach “within the last two days.” “We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact,” Verizon said.
Given the unsettled nature of Yahoo’s ownership just now, “regulators should be concerned with who will take responsibility for the response to this compromise. It can be easy for the ‘right thing to do’ to slip through the cracks in a multi-billion dollar transition,” said Tim Erlin, senior director of IT security and risk strategy at Tripwire, a computer security firm.
The breach doesn’t threaten Verizon’s acquisition of Yahoo, says Robert Peck, Internet equity analyst with SunTrust Robinson Humphreys. But the investigation will likely lead to findings that perhaps 5% of users have left Yahoo and that could yield a lower price for Verizon.
Should the result be that Yahoo has has perhaps 5 million to 10 million fewer users than when the transaction was announced in July, “this could affect the Verizon purchase price from around $100 million to $200 million,” Peck said.
Yahoo’s has pledged to stay on with the company through the close of the merger, which is being overseen by Verizon’s Marni Walden and AOL CEO Tim Armstrong. Yahoo shares (YHOO) were flat Thursday. Verizon (VZ) shares were up 0.9% at $52.35.
Credential stuffing
Most consumers might not think there’s much in their Yahoo account that would be of use to hackers, which typically might only include their email and Yahoo password. However, those two bits of information offer multiple uses for ingenious hackers bent on extracting the maximum value from information, say experts.
According to a Gartner survey, 50% of users reuse their passwords across multiple platforms. So armed with an email address and Yahoo password, hackers might be able to gain access to multiple accounts.
The technique is called “credential stuffing” and it’s become epidemic over the last year and a half, said Avivah Litan, a vice president and analyst at Gartner Research.
“The bad guys get lists of user IDs and password and then test them, they run through them at all the sites they want to attack to see where they work,” she says.
Once hackers gain access to other accounts, they are able to assemble dossiers on individuals. These are called “fullz” and include as much information as the hacking group has about a person, assembled from multiple sources over time. Typically they contain the person’s name, Social Security number, birth date, address, birthday, account numbers and other data.
“There are fullz available probably for most of the U.S. population,” said Litan.
The attackers don’t only use that information to go after bank accounts and credit cards, but also less obvious and harder to track information that is still worth money on the black market.
That can include loyalty points at hotel chains and airlines, avatars and points from online games, even stored value in coffee cards. Once accessed, all of these can be siphoned off, bundled and then resold.
“They’ve gone low, slow and distributed. You used to be able to see these attacks coming through really quickly after a breach,” said Litan. Instead organized crime groups take their time, harvesting points and value.
“It’s very lucrative,” said Litan.
The problems with data breaches are not only the breach itself but also the deficiencies that come to light on further investigation. The accusation levelled against Yahoo was that it did not focus on the danger of hackers, as set out in Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say.