The Australian Red Cross recently apologized for losing control of 1.74 gigabytes of donor data. Included in the breach are name, address, email, phone number, date of birth and other information from blood donors.
The data, 1.3 million records stored in 647 database tables is all the information the Australian Red Cross had on donors who accessed the online donor portal. This represents Australia’s largest leak ever of personal data.
The Australian government is asking a lot of questions, but this is a great exercise for everyone to contemplate.
First of all, why are they sharing all this data with a vendor? Does the vendor really need all of it or could they give the vendor a subset of the data?
How come the data was publicly accessible on the Internet? It sounds like the researcher was just looking for IP addresses that responded to a directory command and then looked for stuff. He found a file with a .SQL extension which turns out to be a MYSQL server backup. How are you checking to make sure that data that should not be made public is not made public?
Since, apparently, this data was stored at a vendor, this calls into question the Red Cross’s vendor risk management program. How active and effective is your vendor risk management program?
It sounds like the Red Cross did as good a job as possible under the circumstances to deal with the breach after the fact, which is good, but that still doesn’t lessen the damage. Would you be able to respond as effectively?
But probably the most important question the Red Cross asked itself after the breach is why are we keeping this data?
Most companies are reluctant to delete any data. Ever. After all, you never know when you might need it. On the other hand, if you don’t have the data, the hackers can’t steal it.
Maybe you need the data for compliance reasons or legal reasons. That still doesn’t mean that it has to be online on a public server. Archive the data, delete it from the primary databases and only allow access to selected people and then only from inside your four walls.
It is certainly true that you may, possibly, delete a piece of data that, in five years from now, you may, possibly find a use for.
On the other hand, that same piece of data may be exposed tomorrow by a business partner with poor cyber security practices.
One final thought – Do you regulate what your vendors can do with the data that you share with them? How long can they keep it? How do they protect it?
Whether we are talking Target, The Home Depot, The US Office of Personnel Management, the Australian Red Cross or a host of other breaches, vendors are often the weak link.
Consider the risk.