Photo via ARN
It has been revealed that a Precedent Communications employee was behind the massive data breach that hit the Australian Red Cross Blood Service late last year.
According to a pair of new investigation reports into the breach, published by the Office of the Australian Information Commissioner (OAIC) on 7 August, a backup of a database file containing information relating to approximately 550,000 prospective blood donors was inadvertently saved to a public-facing web server by an employee of the IT partner on 5 September 2016.
It wasn't until almost eight weeks later that the data file was discovered and accessed by an unknown individual, on 25 October 2016. On the same day, that individual notified the Blood Service via a number of intermediaries.
The Blood Service immediately took steps to contain the breach.
In the aftermath of the breach's discovery and mop-up, Rob Van Selm, the Asia Pacific managing director for Precedent - as a Blood Service partner - confirmed only that the company was working with the organisation in relation to the breach, but offered no further detail on the company's involvement.
Precedent Communications is a digital agency with offices in Perth and Melbourne, and further afield in areas such as London and Hong Kong. It provides services, including technical development and support, for clients' websites.
In 2014, the company was awarded the contract to re-develop the Blood Service's desktop and mobile Donate Blood websites into one platform with additional capabilities.
After the new Donate Blood website was launched in 2015, Precedent was also awarded the contract for the Donate Blood website development and application support, ongoing management, consulting and testing, and maintenance and upgrades.
Now, thanks to the investigation and its subsequent reports, the company's role in the breach, and its subsequent remediation activities, have become clearer.
At the time of the incident, according to the report, information entered by potential donors remained on the back-end of the Donate Blood website, as well as being transmitted to the Blood Service.
The production environment of the website was hosted for Precedent by Amazon Web Services. Non-production environments, including the website's User Acceptance Testing (UAT) environment were hosted and managed by Precedent directly.
That UAT environment held a copy of the website, including customer data which was 'refreshed' on a monthly basis. It contained a copy of all data entered into the production version of the Donate Blood website.
The actual UAT environment was protected by Precedent through a number of mechanisms, according to the report. However, portions of the web server on which the UAT environment was located were publicly accessible, the report into Precedent's involvement in the breach stated.
Sign up for CIO Asia eNewsletters.