An investigation into one of Australia's largest and most sensitive data breaches — which exposed the contact details and high-risk sexual behaviours of blood donors — has let the Red Cross Blood Service off without a fine.
The country’s privacy watchdog said the personal information of over half a million people who had booked online to donate blood were publically accessible on the internet for 50 days last year, but commended the organisation’s response.
Australian Information and Privacy Commissioner Timothy Pilgrim, who conducted the probe into the massive DonateBlood.com.au data breach, said the community can have confidence in the Blood Service’s commitment to securing the personal information of donors.
“Data breaches can still happen in the best organisations, and I think Australians can be assured by how the Red Cross Blood Service responded to this event. They have been honest with the public, upfront with my office, and have taken full responsibility at every step of this process,” Pilgrim said.
In October the Blood Service revealed that 1.28 million records — including names, contact details, genders, dates and countries of birth, blood types and high-risk sexual behaviours — had been inadvertently exposed online.
According to the commissioner, a file containing the details of 550,000 people who had booked appointments between 2010 and 2016 was saved to a public-facing web server by an employee of the organisation’s website contractor, Precedent Communications.
The commissioner found the Blood Service was not directly responsible for the breach but had contributed to the incident through “the absence of contractual measures or other reasonable steps on the part of the Blood Service to ensure adequate security measures for personal information held for it by the relevant third party contractor” and “the retention of data on the Donate Blood website for a longer period than was required.”
The breach showed that responsibility for adhering to the Privacy Act cannot be outsourced.
“This incident is an important reminder that you cannot outsource privacy obligations. All organisations must put in place reasonable measures to ensure their third party providers’ compliance with appropriate privacy and data security practices and procedures,” Pilgrim said.
The data file was discovered by an unknown individual and once notified the Blood Service took immediate steps to contain it and inform affected individuals, the investigation found.
The organisation has since destroyed the data file and limited the personal information collected by the site. It has also given an enforceable undertaking to the commissioner that it will continue to introduce new measures as a result of the breach.
The commissioner also conducted a review into Precedent’s role, finding the company had breached the Privacy Act by “disclosing the personal information of individuals who had made an appointment on the Donate Blood website” and “failing to take reasonable steps to adequately mitigate against the risk of a data breach, and to protect the personal information it held from unauthorised disclosure.”
In deciding to not fine the company, the commissioner said Precendent had acted appropriately in response to the data breach while adopting extensive remedial action. The OAIC has accepted an enforceable understanding from the firm that it will address the issues identified in the investigation.
In his review, the commissioner said the breach provides important lessons for other organisations that are custodians of private information.
“Organisations should have sufficient protections in place to ensure that even if there is a failure at one point, the protections inherent in the other levels will prevent the breach from occurring.”