Quoting from http://www.abc.net.au/news/2016-10-28/red-cross-data-breach-may-have-exposed-donors-to-identity-theft/7976392
Red Cross data breach could have exposed donors to identity theft, cyber security expert says
Updated Fri at 7:12 pm
RELATED STORY: Blood donors' personal data accessed in Red Cross breach
Information from the Red Cross data breach could have been used for identity theft or sold on the black market if "unsavoury" criminals had obtained it, a computer security expert from the University of Melbourne says.
Key points:
- Information could have been used for identity theft or phishing schemes
- Data of 550,000 blood donors leaked from Red Cross Blood Service
- Red Cross responded well by going public, engaging cyber security experts
The personal data of 550,000 blood donors was leaked from the Red Cross Blood Service in what has been described as Australia's largest security breach.
The organisation said a file containing donor information was placed in an "insecure computer environment" and "accessed by an unauthorised person".
The file contained the information of people who had donated blood between 2010 and 2016.
The Red Cross said all copies of the data had now been deleted and the risk of the misuse of the data was low.
The data came from an online application form and included "personal details" and identifying information including names, gender, addresses and dates of birth, a Red Cross statement said.
'Unsavoury' criminals could have accessed data
Dr Suelette Dreyfus from the Department of Computing and Information Systems at the University of Melbourne said identity theft was a real risk if the information fell into the wrong hands.
However she said the Red Cross managed the crisis well by alerting the public and engaging experts to help them.
"This could've gone another way if it wasn't handled so well," she said.
"It could've been that the information was leaked and maybe if unsavoury characters had got the data they could potentially have sold it on the underground black market.
"Conceivably criminals might have potentially been able to use it for blackmail depending on how much information they were able to get out of it."
If, for example, a celebrity or politician had answered yes to the question about risky sexual behaviour that information could have been used for blackmail.
Red Cross did a 'good job' of handling breach
Dr Dreyfus said many organisations do not respond very well to this type of data breach and often refuse to take responsibility.
"It looks like the Red Cross has worked very hard to also try and do the right thing and when you look at a leak of data or breach of data, it's every bit as important how it's responded to as also trying to figure out what went wrong in the first place," she said.
Dr Dreyfus said someone could set up an email phishing scheme if they could correlate that two people knew each other.
"There are a lot of reasons people might want their privacy, not because they're doing anything wrong, but just because privacy is a kind of autonomy," she said.
"Having control of your privacy is having control of your life."
Any donors concerned about the leak can contact the Red Cross via a dedicated hotline.
The Red Cross has expressed its "deep disappointment" and set up a link where those who have been impacted by the breach can seek assistance.
Comments