You may have seen the recent news coverage of the huge data breach in Australia involving the Australian Red Cross Blood Service.
It seems they’re the next organisation to face a gruelling investigation into how 550,000 of their patients’ details were accessed by an “unauthorised person”. It has been described as Australia’s largest data breach to date, and it’s a real concern, as most data breaches are.
Statistics
The breach involved the unauthorised access of some 1.3 million files, with over half a million of those files containing personal information about blood donors. It was made public knowledge after there was a “tip-off”, and the 550,000 people whose personal information has been breached are those who had completed a web form to donate blood between 2010 and 2016.
What information was accessed?
The information that was accessed included names, addresses, blood types, and other personal details. The database was backed up onto a server that was managed by a contractor called Precedent, and the cyber hacker reportedly ‘found’ the database, which was allegedly neither protected nor encrypted.
It goes without saying that this is extremely worrying.
Investigation
Results of an initial investigation found that no ‘deep personal records’ – such as medical records or test results – were accessed. However, how can they say for sure that medical records were not accessed? With a small amount of detail, it’s amazing what cyber hackers can do with the information.
On top of that, if the information that was breached was easy to find, how can we trust that more sensitive information wasn’t, or isn’t, also easy to find as well?
Potential fines
The Blood Service potentially faces a fine of up to $1.7 million Australian Dollars for the breach, which would be the largest fine inflicted on an organisation in Australia. In comparison, Australian telecom Telstra was only fined $10,000 Australian Dollars for a data breach involving 16,000 of their customers.
We would hope that a fine of a greater amount would deter future lapses in security, and send warning signals to other organisations to take cyber security seriously, and keep personal information under wraps.
The Privacy Act
The risk of the information being misused is apparently low.
Red Cross reportedly notified donors as soon as the news of the unauthorised access came out, but this doesn’t change the fact that it is the organisation’s responsibility to keep personal information properly safe in the first place.
By failing to secure this data, they have committed a data breach of the Privacy Act. The Privacy Act includes 13 Australian Privacy Principles which apply to some private organisations, non-profit organisations, and most Government organisations. One of the main principles that stand out in this case is to ‘keep personal information secure‘ which the Blood Service has clearly failed to do this in our view.
Their laws can be fairly similar to what we have over here in the UK – i.e. it’s all about making sure the organisation has a clear responsibility to keep information and data safe.
The Blood Service should seek to review its contractor, Precedent, as their privacy statement states “we store your information securely on our computer system…” – but, in this case, it seems quite clear to us that Precedent grossly failed to achieve this.
It has been reported that the breach occurred due to a “human error” but that doesn’t mean that it cannot be prevented in the first place, and nor does it mean that it removes any responsibility on the part of the company either.