SIT763 IT Security Management: Analysis of Red Cross Data Breach

Verified

Added on 2023/06/13

AI Summary

This report analyzes the Australian Red Cross Blood Service data breach, where personal information of approximately 550,000 blood donors was exposed due to a publicly accessible file. The breach occurred due to inadequate contractual risk assessment and data retention practices. The report discusses the absent security measures, the role of a third-party provider (Precedent), and the failure to comply with the Privacy Act. It examines the business requirements of the Blood Service before and after the breach, including the use of the National Blood Management System (NBMS) and User Acceptance Testing (UAT). Post-breach actions, such as engaging cyber security experts and informing affected individuals, are also detailed. The report emphasizes the need for improved risk assessment, data protection measures, and communication strategies to prevent future incidents, highlighting the steps taken by the Blood Service to mitigate the damage and enhance security.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: IT SECURITY MANAGEMENT
IT Security Management
Name of Student-
Name of University-
Author’s Note-

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1IT SECURITY MANAGEMENT
Executive Summary
The case study involved in this report is about a blood service bank known as Australian
Red Cross Blood Service. The data breach that occurred in the company contained about 550,000
victims who were donating blood through this blood service. The donors were having all their
details on the website. The file that contained all the data were placed on a public website, which
lead to the data breach (Hoad et al. 2015). The personal information that were lost in the data
breach contained personal information that were related to the blood donation including type of
donation, the use of blood and the type of donation the user is making. The incident mainly took
place because of the absence of contractual risk assessment that was to be implemented by the
Blood Service. This report consists of the details of the data breach that took place in the Blood
Service. The risk assessment that is involved with the company is discussed in this report. All the
business requirements that are involved in the Red Cross Blood Service are discussed in this
report.
Security Risk Assessment
The security breach that took place with the Australian Red Cross Blood Service lead to a
loss of information of about 550,000 blood donors, having their personal information stored in
the website of Donor Blood (Fraser et al. 2018). The security measures that were absent that
caused the data breach is the absence of measures or other steps that were to be taken as a
security measure for protecting the personal information of the blood donors. The reason for data
breach was also retention of data on the website for longer period. The service of blood
collection also had not met all the requirements of Privacy Act that are related to the data breach.

2IT SECURITY MANAGEMENT
The main cause of the data breach was error that was done by Precedent employee of the
company. To identify the risks, the Blood Service should have implemented a framework that
includes sourcing strategy, and form contract terms that are appropriate for the company. For
securing the network of Red Cross Blood Service, the marketing team should manage the
Precedent contract and improve the service that will be provided to the company (Storry et al.
2014). For securing the network of the service, the supplier should comply and have to ensure
that the Personnel of the company should also comply with all the policies and the procedures
are o be defined properly by the Blood Service. there should be limitation provided to the
security, privacy, occupational health, computer resources, awareness training whenever it is
necessary. To imply the security, the recipient should also protect the confidential information so
that any unauthorized users do not access or can use the data that are confidential to the company
(Snyder, Stramer and Benjamin 2015). The duty of the company is to prepare proper precaution
so the secrecy of the company can be preserved and the confidential data is kept confidential as
well.
The User Acceptance Testing (UAT) of the company is used for testing as well as taking
approval for all the changes that are needed for the website. These activities are all maintained
and hosted by precedent of the company directly. The UAT contains a copy of all data that is
associated with the website (Bruun et al. 2016). There are many mechanisms that help to protect
the data of the website that is stored in UAT. For the Red Cross Blood Service, the section on the
web server where the UAT kept the data was made public so that all of them can access them. As
the files were stored publicly, the possibility of data breach tended to be much more and the data
of the Blood Service was not secure at all (Brixner et al. 2018). The data were not stored directly
under the Blood service. The Precedent and the Blood Service both of the organizations have

3IT SECURITY MANAGEMENT
obligations related to the data breach. The service providers of third party were not able to keep
the data safe for the Red Cross Blood Service. The contractual arrangements that were made
between the Precedent and Blood Service were failed to focus on the control mitigation process
subjected to the risks involved in the Blood Service.
Business Requirement Analysis
Before the data breach, the Australian Red Cross Blood Service had a Blood Service
website that deals with the personal information consisting of details of the blood donors. The
website also provides appointment for the donors who want appointment for donating blood
(Lopez et al. 2016). The Blood Service has a third party provider known Precedent who manages
all the data for the company. After the data entered by the donors, the data are transmitted to the
Precedent of the company. When the data is received by the Blood Service, the data is then
transferred to the internal NBMS (National Blood Management System). The NBMS records all
the information of the donors (Daly 2018). There are many services known as Amazon Web
Services, which hosts the environment production of Blood Service website. Business analysis
also includes non-production environment that includes UAT (User Acceptance Testing) for the
website and the Precedent managed them directly. The UAT copies all data that enters in the
environment. The UAT is secured by giving passwords. However, the UAT environment was
made public and the user knew the place where they were located.
After the data breach had taken place, the business requirement of the Red Cross Blood
Service was changed (Martin et al., 2017). For detecting the vulnerability that was involved in
the data breach, a cyber security expert known as Troy Hunt was contracted, who informed the
AusCERT (Australian Cyber Emergency Response Team) and took subsequent steps that are to

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4IT SECURITY MANAGEMENT
be taken for the data breach that took place in the company (Williamson et al., 2015). The UAT
environment was immediately removed from being accessing the data. The Blood Service
engaged the Incident Management Service of AusCERT so that they can respond at the time of
further data incident. The Blood Service engaged IDcare so that they can identify the risk
assessments that are involved. IDCare lowers the risk of misusing the data in future. All the
public and the victims of the data breach was informed about the data breach that took place
(Solomon 2017). In addition, for further investigation, special organization was engaged, so that
they can monitor the website of the company against any type of vulnerabilities.
Summary
Data breach took place in the company of Red Cross Blood Service but there was no such
authorization of the Blood Service nor was the Blood service directly involved. The situation
was also outside the scope of Precedent. As the data breach already took place, the protection
was to take pre data breach for saving the personal details of all the donors involved in the
system. The Blood System was not having appropriate risk assessment measure to fight the data
breach. However, when the Blood Service was notified about the data breach, the company took
necessary steps to control the situation and also tried to implement such factors that will help to
mitigate any type of data breach in future. The substantial proceedings that were taking by Blood
Service were very acknowledgeable, and there was a communication established in the
community about the incident.

5IT SECURITY MANAGEMENT
References
Brixner, V., Kiessling, A.H., Madlener, K., Müller, M.M., Leibacher, J., Dombos, S., Weber, I.,
Pfeiffer, H.U., Geisen, C., Schmidt, M. and Henschler, R., 2018. Red blood cells treated with the
amustaline (S‐303) pathogen reduction system: a transfusion study in cardiac
surgery. Transfusion.
Bruun, M.T., Pendry, K., Georgsen, J., Manzini, P., Lorenzi, M., Wikman, A., Borg‐Aquilina,
D., Pampus, E., Kraaij, M., Fischer, D. and Meybohm, P., 2016. Patient Blood Management in
Europe: surveys on top indications for red blood cell use and Patient Blood Management
organization and activities in seven European university hospitals. Vox sanguinis, 111(4),
pp.391-398.
Daly, A., 2018. The introduction of data breach notification legislation in Australia: a
comparative view. Computer Law & Security Review.
Fraser, N.S., Moussa, A., Knauth, C.M., Schoeman, E.M., Hyland, C.A., Walsh, T., Wilson, B.,
Turner, R., Dean, M.M., Perkins, A.C. and Flower, R.L., 2018. KLF1 variants and the impact on
the expression of red blood cell surface molecules in blood donors with the In (Lu)
phenotype. Pathology, 50, p.S104.
Hoad, V.C., Speers, D.J., Keller, A.J., Dowse, G.K., Seed, C.R., Lindsay, M.D., Faddy, H.M.
and Pink, J., 2015. First reported case of transfusion-transmitted Ross River virus infection. Med
J Aust, 202(5), pp.267-70.
Lopez, G.H., McGowan, E.C., McGrath, K.A., Abaca‐Cleopas, M.E., Schoeman, E.M., Millard,
G.M., O'Brien, H., Liew, Y.W., Flower, R.L. and Hyland, C.A., 2016. A D+ blood donor with a

6IT SECURITY MANAGEMENT
novel RHD* D‐CE (5‐6)‐D gene variant exhibits the low‐frequency antigen RH23 (DW)
characteristic of the partial DVa phenotype. Transfusion, 56(9), pp.2322-2330.
Martin, G., Martin, P., Hankin, C., Darzi, A. and Kinross, J., 2017. Cybersecurity and healthcare:
how safe are we?. Bmj, 358, p.j3179.
Snyder, E.L., Stramer, S.L. and Benjamin, R.J., 2015. The safety of the blood supply—time to
raise the bar. N Engl J Med, 372(20), pp.1882-1885.
Solomon, A., 2017. Time to prepare for mandatory data breach notification. Governance
Directions, 69(10), p.593.
Storry, J.R., Castilho, L., Daniels, G., Flegel, W.A., Garratty, G., Haas, M., Hyland, C., Lomas‐
Francis, C., Moulds, J.M., Nogues, N. and Olsson, M.L., 2014. International Society of Blood
Transfusion Working Party on red cell immunogenetics and blood group terminology: Cancun
report (2012). Vox sanguinis, 107(1), pp.90-96.
Williamson, L.M., Benjamin, R.J., Devine, D.V., Katz, L.M. and Pink, J., 2015. A clinical
governance framework for blood services. Vox sanguinis, 108(4), pp.378-386.