Australia's Red Cross has admitted to a significant data breach that saw haveibeenpwned.com sent a file containing records on 550,000 blood donors. The source of the file, or just who has been able to access it, are not known.
Red Cross Australia chief executive Shelly Park says, in a canned statement, that "a back-up copy of an online enquiry database [was] accessed by an unauthorised person."
Park says the file "contained registration information of 550,000 donors made between 2010 and 2016. The file was part of an online application to give blood and information such as names, addresses, dates of birth and some personal details are included in the questionnaire."
"The online forms do not connect to our secure databases which contain more sensitive medical information," Park added.
However ITnews.com.au reports that the data dump included details of donors' names, email addresses and sometimes even whether they had indulged in risky (for blood donors) sexual activity.
Park has apologised, said this sort of thing is unacceptable and reported the situation to the appropriate authorities. Donors whose details appear on the list will be contacted.
The breach is significant for its size, but also for the fact it appears to offer very personal details.
Confusingly, the Red Cross says it is confident that all copies of the data are now in safe hands, but also says it is continuing its investigations.
The Register has contacted the Australian Red Cross for comment, but our voicemail had not elicited a response at the time of writing. Or in the four hours since. ®