Slashdot Mirror

← Back to Stories (view on slashdot.org)

Red Cross Blood Service Admits To Personal Data Breach Affecting Half a Million Donors (abc.net.au)

Posted by msmash on from the security-woes dept.

The personal data of 550,000 blood donors that includes information about "at-risk sexual behaviour" has been leaked from the Red Cross Blood Service in what has been described as Australia's largest security breach. From an ABC report:The organisation said it was told on Wednesday that a file containing donor information was placed on an "insecure computer environment" and "accessed by an unauthorised person." The file contained the information of blood donors from between 2010 and 2016. The data came from an online application form and included "personal details" and identifying information including names, gender, addresses and dates of birth, a Red Cross statement said. Red Cross Blood Service chief executive Shelly Park said "due to human error" the unsecured data had been posted on a website by a contractor who maintains and develops the Red Cross website.

32 comments

  1. They won't take my blood by Oswald+McWeany · · Score: 0

    American Red Cross doesn't like good English blood! (probably because giants on bean stalks can smell it and get irate at the smell) I've tried several times but they're scared I have mad cow disease.

    Don't know if the Aussies would take my blood, they're already mad, but they can't have it now.

    --
    "That's the way to do it" - Punch
    1. Re:They won't take my blood by Frederic54 · · Score: 1

      Same in Canada, I was in France for 3 months in the 80s so I am permaban and cannot give blood, organs or tissues in Canada. Too bad for them as I am O+ and they made vaccine with my VZV immunoglobulin or something

      --
      "Science will win because it works." - Stephen Hawking
    2. Re:They won't take my blood by Anonymous Coward · · Score: 0

      They're called the RED cross for a reason. They won't take blue blood!

    3. Re: They won't take my blood by Anonymous Coward · · Score: 0

      The American Red Cross did not want my pure Slovak blood, so I am keeping it to myself. :)

  2. the bleeding must stop for the healing to begin... by Anonymous Coward · · Score: 0

    cease fire stand down

  3. Translation. . . by Salgak1 · · Score: 1

    . . . somebody copied the database to a thumb drive, OR somebody emailed the file outside the corporate network. . .

    Or, the short version, somebody did something stupid that they were likely specifically told NOT to do in a security briefing that they either scanned or pencil-whipped. . . .

    1. Re:Translation. . . by Joe_Dragon · · Score: 1

      contractor who maintains and develops the Red Cross website.

      so they want with the low bidder over seas guys?

    2. Re:Translation. . . by jellomizer · · Score: 1

      Well this is the year 2016 where hackers are no longer the equivalent of nuisance where their attacks were just a mild inconvenience. Today such breaches are serious and can affect people's lives. The Red Cross should had filled the USB ports with Glue and locked down the PC's to prevent some stupid person from accidentally leaking a major problem.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  4. Worse than Ashley Madison by GuB-42 · · Score: 2

    Blood donations forms typically include very sensitive questions like your number of sex partners, if it is not a clear "are you cheating?".
    With Ashley Madison, where the mere presence of an account is a very weak proof of infidelity. In fact, considering the number of actual women present of the site, the chance of a husband cheating his wife through this site is almost zero (unless bots count). But if you answer "yes" to one of the sensitive questions in a blood donor questionnaire, it can be considered a definite proof.

    1. Re:Worse than Ashley Madison by Anonymous Coward · · Score: 0

      Not true, at least in the US. It asks about paying for sex, travel, and man on man sex in the history. Not number of partners.

    2. Re:Worse than Ashley Madison by Oswald+McWeany · · Score: 1

      Not true, at least in the US. It asks about paying for sex, travel, and man on man sex in the history. Not number of partners.

      That could still theoretically be bad for a man if he is married to a woman and answers yes to any of those questions.

      --
      "That's the way to do it" - Punch
    3. Re:Worse than Ashley Madison by Anonymous Coward · · Score: 0

      Maybe if companies were forced to choose a value of "x" and write "you will receive $x if we accidentally leak this information" on forms, then they could multiply $x by their number of customers to know how seriously they should take security. People could then decide whether they feel that $x is a big enough insurance. Right now people have no idea what they're getting into.

    4. Re:Worse than Ashley Madison by Anonymous Coward · · Score: 0

      If he answers yes to any of those questions then he isn't allowed to donate blood. They show you the questions before you're required to take them, so why would anyone answer yes? If you're going to say yes then there's no point in showing up and if you're going to lie so you can donate then you won't have any yes answers.

      What really annoys me is that they ask if you're male or female, then still show you questions for the opposite sex (sex != gender, they ask if you're male/female not if you're a man/women so don't bring up any gender issues as there aren't any). Further, they require the males to press the "I'm male" button on all the female questions but for the male questions females aren't required to press a "I'm female" button...

    5. Re:Worse than Ashley Madison by Anonymous Coward · · Score: 0

      Why do you want females pressing buttons. Thats mans work. Soon they will have all our jobs.

    6. Re:Worse than Ashley Madison by Salgak1 · · Score: 1

      So . . .what you're saying is. . .

      "Wimmen, Dey Took Er Jerbs" ????

      (grin)

  5. Just Australia's donors? by Anonymous Coward · · Score: 0

    I read the article. It doesn't specify if only Australians are in the data or not. No worries for me. I live a boring life, nothing to see here...

  6. Great by Anonymous Coward · · Score: 0

    More blackmail material for Skynet.

  7. Re:Jokes on the hackers! by Anonymous Coward · · Score: 0

    The Red Cross along with a select other few entities such as the NY Times still solicits my long dead grandfather once a year who passed back in the late 90s.

    When you give blood, you go on their phone list, address list, and email list forever. And you've confirmed my suspicion... Even death doesn't get you off the list.

  8. Example questions from blood donation form by Anonymous Coward · · Score: 0

    Please excuse any typos--I copied this from a low-res image. These questions are representative of the form you have to fill out before you can donate blood. Some states ask, "Are you aware that it is a felony to knowingly provide false answers to these questions?" and "Are you aware that you may withdraw from the blood donation without questioning and/or you may request that your blood (if already taken) not be used for any reason?"

    Bold questions are ones I deemed fairly sensitive. Perhaps others would consider the geographical questions sensitive.

    • Are you feeling healthy and well today?
    • Are you currently taking an antibiotic?
    • Are you now taking or have you ever taken any medications on the Medication Deferral List? [includes blood-thinners, etc.]
    • Have you read the educational materials?
    • In the past 48 hours, have you taken aspirin or anything that has aspirin in it?
    • Female donors: In the past 6 weeks, have you been pregnant or are you pregnant now?
    • In the past 8 weeks, have you donated blood, platelets, or plasma?
    • In the past 8 weeks, have you had any vaccinations or other shots?
    • In the past 8 weeks, have you had contact with someone who had a smallpox vaccination?
    • In the past 16 weeks, have you donated a double unit of red cells using an apheresis machine?
    • In the past 12 months, have you had a graft such as bone or skin?
    • In the past 12 months, have you come into contact with someone else’s blood?
    • In the past 12 months, have you had an accidental needle-stick?
    • In the past 12 months, have you had sexual contact with anyone who has HIV/AIDS or had a positive test for the HIV/AIDS virus?
    • In the past 12 months, have you had sexual contact with a prostitute or anyone else who takes money or drugs or other payment for sex?
    • In the past 12 months, have you had sexual contact with anyone who has ever used needles to take drugs or steroids or anything not prescribed by their doctor?
    • In the past 12 months, have you had sexual contact with anyone who as hemophilia or has used clotting factor concentrates?
    • Female donors: In the past 12 months, have you had sexual contact with a male who has ever had sexual contact with another male?
    • In the past 12 months, have you had sexual contact with a person who has hepatitis?
    • IN the past 12 months, have you lived with a person who has hepatitis?
    • In the past 12 months, have you had a tattoo?
    • In the past 12 months, have you had ear or body piercing?
    • In the past 12 months, have you had or been treated for syphilis or gonorrhea?
    • In the past 12 months, have you been in juvenile detention, lockup, jail, or prison for more than 72 hours?
    • In the past three years, have you been outside the United States or Candaa?
    • From 1960 through 1980, did you spend time that adds up to three (3) months or more in the United Kingdom? (Review list of countries in the UK)
    • From 1960 through 1980, where you a member of the U.S. military, a civilian military employee, or a dependent of a member of the U.S. military?
    • From 1960 to the present, did you spend time that adds up to five (5) years or more in Europe? (Review list of countries in Europe.)
    • From 1960 to the present, did you receive a blood transfusion in France or the United Kingdonm?
    • From 1977 to the present, have you received money, drugs, or other payment for sex?
    • Male donors: From 1977 to the present, have you had sexual contact with another male, even once?
    • Have you EVER had a positive test for the HIV/AIDS virus?
    • Have you EVER used needles to take drugs, steroids, or anything not prescribed by your doctor?
    • Have you EVER used clotting factor concentrates?
    • Have you EVER had hepatitis?
    • Have you EVER had malaria?
    • Have you EVER had Chagas’ disease?
  9. Re:Jokes on the hackers! by Nidi62 · · Score: 1

    The Red Cross along with a select other few entities such as the NY Times still solicits my long dead grandfather once a year who passed back in the late 90s.

    Maybe they figure they can get more blood than normal from him since he's not using it anymore?

    --
    The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
  10. Ashley Madison by Anonymous Coward · · Score: 0

    For years, I thought Ashley Madison was some sort of lingerie shop like Victoria's Secret or something. And a few times I would say things like, "It's my wife's birthday. I'm thinking of getting her something from Ashley Madison; well, it's really a gift for me."

    I would get the strangest looks!

  11. Re:Jokes on the hackers! by Anonymous Coward · · Score: 0

    I wonder if they won't take european blood then due to right to be forgotten laws.

  12. Doesn't make sense by bagofbeans · · Score: 4, Insightful

    Why would the website developer have access to the donor database?

  13. Re: Jokes on the hackers! by Anonymous Coward · · Score: 0

    No. They don't take it because they're Nazi shit.

  14. "due to human error"? by PJ6 · · Score: 2

    [...] the unsecured data had been posted on a website by a contractor who maintains and develops the Red Cross website.

    Sorry, but could someone please explain to me how is it even possible to do that accidentally?

    1. Re:"due to human error"? by Ol+Olsoc · · Score: 1

      [...] the unsecured data had been posted on a website by a contractor who maintains and develops the Red Cross website.

      Sorry, but could someone please explain to me how is it even possible to do that accidentally?

      Hellary and the DNC did it on purpose. And Mexican rapists. And that Baldwin guy. And Megyn Kelly. And Muslims and Bill Maher.

      It all makes perfect sense now doesn't it?

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    2. Re:"due to human error"? by Anonymous Coward · · Score: 0

      Are you having a stroke?

    3. Re:"due to human error"? by Ol+Olsoc · · Score: 1

      Are you having a stroke?

      of genius - yes indeedy!

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  15. AUSTRALIA by denbesten · · Score: 1

    Neither TFA nor the summary make it clear that this was just the Australia Red Cross. No indications so far that any other countries have suffered a similar breach.

    1. Re:AUSTRALIA by Anonymous Coward · · Score: 0

      It doesn't really matter. If they have not been penetrated yet, it is only a matter of time. The more valuable a database the sooner it will be cracked. The personal info that blood donation organizations collect is pretty valuable, so its going to get hacked eventually. I looked into donating blood over a year ago and they told me that if I donated blood I had to give up my personal info and that it would go in a computer database. They gave me the standard spiel about it being private but they were obviously not IT experts. The place is basically a volunteer organization so they have even less ability to address security than big corps like Target, Anthem and the thousands of other companies that have already been hacked.

      FWIW, I think organizations like that should just keep the data on paper in a filing cabinet in a locked room. Use the computer for scheduling and tracking, but keep all of the personal info offline. It is basically write-once, read-never anyway. They only need it when there is an exception so the efficiency gains of keeping it online do not come anywhere near to compensating for the security risks.

  16. Cool by Anonymous Coward · · Score: 0

    I'd love to have a compiled list of women in their late teens and early twenties and are down with this "at-risk sexual behaviour" of which you speak.

    Not that I'll be heading to upside down and everything wants to kill me Australia any time soon. I mean really, fuck those won't let me bring my own fruit into their country motherfuckers.