The breach of data comes from the Australian Red Cross Blood Service and dates back to 2010. Credit:Dallas Kilponen A text message sent to people potentially affected by the Red Cross data breach. Red Cross Blood Service chief executive Shelly Park blamed human error by a contractor running the organisation's website for the breach but said the information was considered to have a low risk of direct misuse in the future. The data was available online since early September and is believed to have been accessed on Monday, October 24. Investigations are continuing and the Australian Federal Police and Australian Cyber Security Centre have been informed of the breach.

"On October 26, we learnt that a file, containing donor information,which was located on a development website, was left unsecured by a contracted third party who develops and maintains our website," Ms Park said. "The issue occurred due to human error. Consequently, this file was accessed by a person outside of our organisation." Ms Park said the organisation had engaged cyber security experts to investigate how it was "caught out" and was in the process of notifying donors affected. Donors affected have been warned there is an increased risk to their online security and that they should be on the look out for phone and email scams. "We are extremely sorry. We are deeply disappointed to have put our donors in this position," Ms Park said.

Online security blogger Troy Hunt, who runs a data breach notification service, reported the person who gained access to the information had contacted him, revealing Mr Hunt's own personal details and a 1.74GB data file containing the records. His name, email, gender, date of birth, phone number and date of last donation were disclosed in the file. This was also the case with his wife, whose file also contained her blood type and their home address. "The database backup was published to a publicly facing website. This is really the heart of the problem because no way, no how should that ever happen," he wrote in a blog post. Mr Hunt said he had deleted his copy of the information and the person who gave it to him had agreed to do the same. The Red Cross said, to their knowledge, "all known copies of the data have been deleted".

Some exposed data could contain the highly sensitive eligibility questions, including: "In the last 12 months, have you engaged in any at-risk sexual behaviour?" Donors are also asked if they have ever injected recreational drugs, are on antibiotics, if they are under or overweight and if they have undergone any surgical procedures. Australian Privacy Commissioner Timothy Pilgrim announced a probe into the breach on Friday afternoon. "I will be opening an investigation into this matter and will work with the Red Cross to assist them in addressing the issues arising from this incident. "The results of that investigation will be made public at its conclusion," he said in a statement.

"My office encourages voluntary notification of data breaches, particularly where there is a risk to an individual as a result of a breach." Human Rights lawyer George Newhouse said the privacy commissioner had the power to order damages and apologies. Adjunct Professor Newhouse also said his office was considering mounting legal action for those affected. "We're looking into a class action on behalf of those who have had their data unlawfully accessed," he said. "On the basis that they've had their privacy breached."

Even basic personal information could lead to identity fraud but it was worse for anyone who's sexual or medical history had been compromised, he said. "This is highly sensitive personal information that could cause enormous embarrassment to people in their personal and work lives. This incident highlights how vulnerable organisations and individuals are to unauthorised access." A Health Department spokeswoman said she was confident the blood service would recover. "The ARCBS is a long-standing institution who are charged with ensuring a viable donor base, safe collection, processing and distribution of blood and blood products," she said. "We are confident that the ARCBS will be able to recover from this incident, build the confidence of the donor base and ensure that the safety and security of their systems are robust and compliant with privacy and confidentiality requirements."