Hackers have breached and leaked personal data of more than 550,000 donors from Australia’s Red Cross Blood Service. The details leaked includes the email addresses, gender, date of birth, phone number and blood donation date of the organisation’s donors between 2010 and 2016.
The hackers have appeared to simply scanned Internet IP addresses to look for exposed web servers that returned directory listings. Showing a public listing of the file contents of the server is a well-known risk and there is rarely a valid justification for this. By making the backup convenient to access the Australian Red Cross Blood Service essentially exposed its data to opportunistic hackers.
“This is literally as simple as going to an address such as http://127.0.0.1 and seeing a list of all the files on the system (sample address only). He’d then look to see if any of those files contained a .sql extension which would indicate a database backup… and that is all” according to a security expert – Troy Hunt. He added that this is the biggest data leak Australia has suffered.
Those affected have been sent a text message that reads: “The Blood Service has identified a potential data issue that may affect you” with a link to the blood service’s website for more information.