October 31, 2016 By Douglas Bonderud 3 min read

When donors finish giving blood, they’re often handed some sweet treats, like cookies or juice, to help get them back to full strength. But for the Australian Red Cross, the end of October 2016 comes with not-so-funny tricks along with those treats. According to CSO Online, the service was recently notified that registration data of more than 550,000 individuals was compromised thanks to third-party error.

One of the biggest cybersecurity issues in the history of Australian health care, the Red Cross donor breach showcased the persistent problem with third-party vendors — unfettered access. But how do companies stay safe in a world where internal IT can’t do it all?

At an Arm’s Length

Ideally, the relationship between health services and third-party IT contractors should be a combination of familiarity and distance. Providers need enough information and access to do their jobs, but they should also be kept at arm’s length from potential areas of compromise.

In the case of the Australian Red Cross, problems occurred when an employee working with the web developer that handles the agency’s Blood Service website accidentally left a 1.74 GB file sitting in an unsecure environment. Preliminary investigations suggested the data was potentially accessible on the site from Sept. 5 to Oct. 25 of this year. If a seemingly white hat hacker hadn’t contacted a reputable security researcher, the Red Cross donor breach could have gone completely unnoticed.

As noted by The Guardian, the incident came to light when an anonymous Twitter user sent security expert Troy Hunt a message that read, “Here’s your personal data.” The message was quickly followed by some of Hunt’s details, including full name, email, phone number and date of birth — all pieces of information he entered into an online Red Cross donation form.

Hunt convinced his contact to send over the entire file and delete the initial copy. He then contacted Australia’s Computer Emergency Response Team (AusCERT), which notified the Red Cross.

The final tally: 550,000 records, many containing detailed personal histories, were left completely unsecured on a website backup database. Even more worrisome, the agency has no idea how many people have accessed the data, have copies of the data or plan to use the data for personal gain.

Red Cross Donor Breach Highlights Third-Party Risk

While the Australian Red Cross donor breach raises red flags for the agency, this has become a common concern for American health organizations as well. As noted by Dark Reading, the health care industry has suffered approximately $6.2 billion worth of data breaches over the last two years. In fact, Cyber Scoop reported that almost 250,000 medical records were breached just last month.

Efforts are underway to limit the risks of health breaches, often through increased employee training and better data handling practices. According to a recent Ponemon Institute survey, however, third-party threats are also a critical factor. Almost half of respondents said they had experienced a vendor-caused data breach, and 16 percent were “unsure,” often because third parties did not report this information.

Even with Business Associate Agreements and the specter of Health Insurance Portability and Accountability Act (HIPAA) compliance, small mistakes by third parties can cause big problems. For the Red Cross, all it took was one developer accidentally leaving backup servers accessible on the public-facing website to compromise half a million records.

Juice and Cookies

The solution boils down to access and control. Vendors need specific permissions to complete assigned tasks and nothing else, even if it makes the job easier down the line. In addition, companies must vet the work of third parties after completion to ensure nothing is left open to the public that should be kept private.

It’s an extra step and another inconvenience for health agencies, but it is both necessary and beneficial. Think of it like the juice and cookies after a blood donation — enough time and oversight ensures no system walks away at risk.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today