On Friday 28 October 2016, news came to light that the Red Cross Blood Service had been the subject of possibly the largest data leak seen in Australia to date, with the personal information of around 550,000 blood donors involved.
The data contained millions of records, including contact information and blood donation history, as well as some particularly sensitive pieces of information relating to donors’ health and sexual behaviour.
This was an incident that seems not to have been the result of a malicious hack, but rather simply a case of a backup of the Blood Service’s database having been inadvertently made available on a public webserver.
When this was discovered by a member of the public around 7 weeks later, he took his discovery to a noted IT security expert, who reported the matter to the Australian Cyber Emergency Response Team (AusCERT). However, it was not immediately apparent whether the records had been accessed by anyone else in the intervening period, and so the practical impact of this incident remains uncertain at this stage.
The Blood Service has been swift in its response, setting up a dedicated website and an email and phone hotline, contacting individuals impacted, and offering counselling and other support resources, while continuing to investigate the incident in conjunction with AusCERT, the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC).
Under the Australian Privacy Principles (APPs), organisations holding personal information are required to take reasonable steps to protect that information against misuse, interference and loss, and from unauthorised access, modification or disclosure.
At present, there is no obligation on organisations to report data breaches to the public, or inform individuals whose data has been involved. However, a Bill before Commonwealth Parliament proposes to introduce amendments to the Privacy Act 1988 (Cth) that would require such steps in certain cases, as discussed further in our article here.
Until this legislation is passed, an OAIC guide entitled Data breach notification – A guide to handling personal information security breaches contains best practice suggestion as to how to respond to such events.
Given the scale of the Blood Service information leak, and the seemingly comprehensive, speedy, transparent and clear response being taken, it may be that this incident is held up as a case study of good practice in incident response for years to come.
This article was written by Andrew Miers, Partner and Daniel Kiley, Senior Associate.