A data breach that involved a backup of a prospetive donor database maintained by the Australian Red Cross Blood Service being placed on a public web server was the result of a “one-off human error,” according to a report from the Office of the Australian Information Commissioner.
The file included registration data from 550,000 prospective donors.
Australian Information Commissioner Timothy Pilgrim launched an investigation in October last year after the the privacy breach was revealed. The OAIC today released a pair of reports on the incident: One on the Blood Service and one on Precedent Communications Pty Ltd, which managed the donateblood.com.au website.
“The root cause of the incident was a one-off human error on the part of a Precedent employee,” the OAIC’s report on the Blood Service concluded.
“The data breach occurred without the authorisation or direct involvement of the Blood Service, and was outside the scope of Precedent’s contractual obligations to the Blood Service.”
The data breach occurred when a Precedent employee created a backup of the database used by a non-production user acceptance testing environment. The UAT environment included a copy of the data used by the production version of the website, the report states. That data included details entered by individuals who had used the donateblood.com.au website to schedule appointments to donate blood.
The backup file was erroneously saved to a publicly accessible online location instead of a secure location.
The report noted that the Blood Service had polices and practices in place to protect personal information, though it added that there were two areas where the organisation had fallen short: The lack of contractual measures or “other reasonable steps” to ensure “adequate security measures for personal information held for it by the relevant third party contractor” and the retention of data for longer than was required.
“As there appears to be no reason for historical data to be retained on the Donate Blood website database indefinitely, the information should be destroyed or de-identified after a defined period,” the report states.
However, the report commended the organisation for its “quick response and handling of the breach”.
“Overall, the Blood Service acted appropriately and in a timely manner to rectify the data breach, and its response to the data breach provides a model of good practice for other organisations,” the report states.
“The circumstances of this incident and the Blood Service’s response mean that it is unlikely that there will be adverse consequences for affected individuals.”
Both the Blood Service and Precedent have offered enforceable undertakings to the OAIC.
“Australians can be assured that the Blood Service is fully committed to the security of its donors’ information," said Blood Service CEO Shelly Park.
“This assurance has also been given by the nation's highest authority on privacy matters the Information and privacy commissioner, in his report into our data security incident.”
“As the commissioner notes, we have enhanced our information handling practices since the incident,” the CEO added. “We have also agreed to a privacy check-up from the commissioner later next year as a further measure of confidence in our approach to information security.
“Information security remains a significant challenge for all organisations regardless of how robust you feel your systems and processes are. Our donors really can be assured that the safety of their information continues to be a top priority for us.”