Precedent, the UK-headquartered website maintenance and development contractor for the Red Cross Blood Service, has been implicated in the data breach that exposed the sensitive personal and medical records of 550,000 donors online.
The Red Cross Blood Service battled to deal with the breach last week after it was identified by an anonymous individual, who stumbled across the 1.74GB file containing 1.28 million records while scanning IP address ranges for publicly exposed web servers containing .sql files.
The Red Cross Blood Service became aware of the blunder on Tuesday morning through a chain of communications that included security researcher Troy Hunt and Australia’s computer emergency response team, AusCERT.
The Blood Service has laid responsibility for the slip-up on its outside contractor in a statement on its website, which says "on 26 October, the Blood Service became aware that a file containing donor information was placed in an insecure environment by a third party that develops and maintains the Blood Service’s website".
Precedent, which has its head office in London and sites in Melbourne and Perth, was engaged by the blood service to redesign and maintain its core website, www.donateblood.com.au, in 2015.
It created a Drupal 7-based responsive site to make it easier for people who have never donated blood to find out more about the process, and to make bookings for donors much simpler.
The new site was launched to the public in November last year.
However, a human error made by one of Precedent’s technical team meant a database backup containing all the information donors enter as part of their booking process was exposed online from a separate server for almost two months from 5 September this year.
Precedent's APAC delivery director, Rob Van Selm, confirmed his company’s involvement in the breach to CRN's sister title, iTnews.
He said the firm was continuing to help the Red Cross Blood Service and AusCERT with their investigations.
Van Selm declined to comment on the events leading up to the breach other than to admit “human error” was the cause. He said further information would come to light in due course.
“We’re trying to determine where the issue lies and who is responsible,” he told iTnews.
According to a statement on the company's website, "Precedent are working closely with the Australian Red Cross Blood Service and their partners to investigate the isolated data breach on the 25th October 2016. We are taking the matter extremely seriously, and we have taken immediate steps to investigate the issue."
The contents of the mysqldump database backup contained significant personal details like name, gender, physical and email address, phone number, date of birth, and country of birth.
However, what separates it from other headline breaches of recent years is the inclusion of sensitive medical information, like data on blood type and instances of high-risk sexual behaviour.
The scale and severity of the breach has prompted an investigation by the Privacy Commissioner, who will soon begin dissecting what has now earned the crown of Australia’s biggest – and most sensitive – data breach to date.