[BreachExchange] Red Cross thankful for loyal donors after data breach

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 5 18:11:20 EDT 2017


A 1.74GB MySQL database backup containing 1.3 million rows and 647
different tables from the Australian Red Cross was found to be publicly
available in October 28, 2016.

The data originated from an online donor application form that contained
details including name, gender, address, email, phone number, date of
birth, country of birth, blood type, and other donation-related data, as
well as appointments made.

At the time it was called the largest unintended release of personal data
seen so far in Australia, but since then, it has also been called one of
the best business responses to a crisis.

According to Red Cross Blood Services Australia executive director of donor
services Janine Wilson, her organisation has learned a lot from the

"We were a business that thought it was managing data pretty well, but
what's very clear to me now having gone through that is your actual IT
security systems can be water tight, but there are people who operate them
every day," Wilson explained, adding that sometimes there are processes and
personnel that aren't always in concert that result in holes to security
procedures that sometimes can't be seen.

Speaking at the Oracle Modern Business Experience 2017 in Sydney on
Thursday, Wilson explained that the Red Cross made a very quick and
proactive decision to go public and did so as soon as they knew.

"It was our obligation to tell the 1.2 million donors that their data may
have been breached and here's what happened," she said.

Red Cross was lucky that those affected by the breach have, generally
speaking, forgiven the not-for-profit organisation.

"People responded to that honesty with a generous response, to be honest,
there was a tiny minority of people who got pretty cranky -- and fair
enough -- and we spoke with them on very personalised channels," she

"Blood donors are collectively a fairly loyal and forgiving lot ... I think
they were forgiving but I don't think they would be again."

Since October, Wilson said the Red Cross has strengthened a number of
things within its organisation, including surveillance and how it manages

"Things like when a donor makes an online appointment on our web page, it
used to be we held on to that information for a long time, there's no need
to hold onto it. And in fact, privacy requirements would say you don't need
to and therefore you shouldn't, so now we only hold onto it for as long as
we need to and then it gets deleted," she explained.

"There are practices like that we can change in order to reduce the risk on
all fronts that something like that could happen."

Wilson reiterated that there is no fool proof system to avoid a breach, and
that it is simply a case of when.

"Be really clear about what promise you have to whom and where your
priorities are on data security, and I think our donors know what we stand
for there and we've kept them updated," she said.

"The noise has died down but it will no doubt surface again as we make
other announcements about new solutions, and this, that, and the other,
we'll manage that as it comes."

The Australian Privacy Commissioner is still preparing his report on the
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170505/b9b48e84/attachment.html>

More information about the BreachExchange mailing list