The backup of a key database, which had the details of 500,000 blood donors, was placed on a publicly accessible web server this week. The file contained details including including blood type, name, contact details, date of birth and gender.
It is yet another example of security servers failing and the third major breach in Australia this year.
“This is now the third critical infrastructure network to be breached in Australia in close succession,” said Jonathan Martin, EMEA operations director at Anomali.
“First the Bureau of Statistics, then the Bureau of Meteorology, and now the Australian Red Cross. This is by far the worst breach that the country has seen, with extremely personal data put at risk by not having any protective system in place.”
“Companies that deal with such sensitive data or valuable intellectual property, are at greater risk than most and therefore have a greater responsibility to ensure these types of attacks are mitigated.”
>See also: Yahoo data leak: the biggest on record
However, the interest in this story lies in how the data breach was identified.
Commonly, hacks can go unrealised for months, even years. Take Yahoo’s data breach as an example.
This month it came to light that 500 million Yahoo account details, including names, passwords, email addresses, phone numbers and security questions, had been accessed and released on the internet.
The hack, however, actually took place in 2014.
With this latest hacking scandal Troy Hunt, a Microsoft regional director and security developer, was contacted on Tuesday morning by an anonymous person on Twitter who told him he had obtained personal information about him and his wife.
“This guy reached out to me and said, ‘Here’s your personal data,’” Hunt said.
“There was my name, my email, my phone number, my date of birth, and information about when I had last donated blood.”
If the anonymous tipper had not come forward then the valuable personal information could have been circulated across the internet for a substantial length of time without anyone the wiser.
It poses the question: how can hacks be identified as soon as they happen? Because it appears, all too often, that they go unregistered.
Post-GDPR this will not be an option, with organisations required to let the relevant authorities know with 72 hours of any data breach.
“Organisations have to find new ways of examining malware that enters the network without triggering its ability to detect that it is being tested,” says Simon Moor, UK country manager at Check Point.
“So companies not only have to remain vigilant against established malware families, they also face the challenge of protecting their networks against new, rapidly-emerging attack types.”
“If organisations don’t track where their data is moving and who holds it, it’s only a matter of time before a damaging breach occurs,” said Steve Murphy, senior vice president EMEA at Informatica.
“With sensitive data often passing between multiple companies during partnerships and sales, it’s essential that organisations have a data-centric security strategy in place to ensure that data is secure wherever it goes.”
Finally, Martin suggests that through a war of attrition, by upping the costs and sophistication necessary to obtain information will mean the aggressor has to squeeze through too many choke points.
“Adding in multiple sources of threat intelligence is essential, which collates data from malware, incidents, and threat actors, etc., to identify, prioritise, and action responses to malicious activity in real-time. There is no excuse for customer details to end up on the Dark web.”