In a statement apologising for the breach, Blood Service chief executive Shelly Park played down the risk of future repercussions to donors. She said IDCARE, a national identity and cyber support service, had assessed the information accessed as of low risk of future direct misuse.

"To our knowledge all known copies of the data have been deleted. However investigations are continuing," Ms Park said.

"We are incredibly sorry to our donors. We are deeply disappointed this could happen. We take full responsibility and I assure the public we are doing everything in our power to not only right this but to prevent it from happening again."

Insecure website

The data breach occurred, Ms Park said, because a company employed to maintain the service's website had placed the file on an insecure page. The details were from donors who registered between 2010 and 2016.

There is a shortage of blood across Australia. iStock

In a detailed rundown of the discovery of the breach, Troy Hunt, who runs the online data breach notification service, describes how he weighed up the best options for handling the information, before informing the Australian Cyber Emergency Response Team (AusCERT), with whom the Blood Service has membership.

While not suggesting that the Blood Service would have done so, he said he didn't directly contact the Red Cross initially as many organisations look to sweep breaches under the carpet.


"Clearly [the eligibility questions] is a deeply personal, private attribute that could be enormously sensitive if the answer is in the affirmative. Because there are many eligibility questions for each donor, there are a total of 7,343,537 answers in the system and naturally, many of these relate to the question of at-risk sexual behaviour," Mr Hunt wrote.

"I believe this incident has the unenviable title of being Australia's largest ever leak of personal data … who else has the data is most concerning and the only answer anyone can confidently give is 'we don't know'."

Mr Hunt said the person who found the files had used a very simple and widely-used web scanning mechanism, which can be used to hunt for everything from vulnerable code to connected devices to publicly facing backup files.

Online trading of personal data is a big, and growing business, and Mr Hunt said he had spoken with the person who found the files, to try and ascertain whether this had occurred.

He said he maintained that he hadn't redistributed the data to anyone else, and that he also agreed to permanently delete the existing Red Cross data he had.

"However, by his own admission, we can only take his responses at face value. The Red Cross has done the right thing in making a public statement about this and notifying impacted donors," Mr Hunt said.

The Red Cross said that, since Tuesday, it had been in communication with the Australian Cyber Security Centre, the Australian Federal Police and reported the matter to the Office of the Australian Information Commissioner.

Confidence in the service


"The online forms do not connect to our secure databases which contain more sensitive medical information," Ms Park said.

"The Blood Service continues to take a strong approach to cyber safety so donors and the Australian public can feel confident in using our systems."

She said the service needed continued public support to donate blood and that she was confident that a similar breach would not re-occur.

The Blood Service is endeavouring to contact all people who made an application to be a blood donor and inform them of the potential breach of their data. It has has set up a hotline (13 95 96), website and email address to provide information.

"It is vitally important that people who generously want to give blood are not deterred by this," Ms Park said.

"Every Australian may need a blood transfusion at some time and we hope people will continue to make their contribution and to feel confident that their personal details will be protected."