A little bit Dave anatomy of the Blood Service data breach Mr - PowerPoint PPT Presentation

A little bit Dave – anatomy of the Blood Service data breach Mr Laurie Joyce Australian Red Cross Blood Service @HISA_HIC #HIC18

Blood Service Data Breach Laurie Joyce IT Security and Compliance Manager

Headlines

Introduction In October 2017 the Blood Service was made aware that Personally Identifiable Information of which it was the custodian was available on the internet. This presentation will cover –  What happened  How we responded to the incident  The reviews undertaken  How we responded to the need to rapidly improve our Information Security posture

Blood Service  The Australian Red Cross Blood Service is entrusted with the supply of Australia’s blood. We collect, process and distribute life-saving blood products. We also deliver world-class research and provide expertise in diagnostic, transplantation and other clinical services.  1.3 million blood donations annually  500,000 active donors  3500 staff  80+ facilities  Federal Government Critical Infrastructure Classification

What Happened – the First Hour On Wednesday 26 October we were notified of the breach • IP range had been blocked • Investigation began and pointed to a marketing connection • War room established by ICT • • People brought in on a need to know basis • Next steps were starting to be planned

The Response – Day 1 Number 1 concern was the impact on the Blood Supply  A second war room was also quickly established consisting of the Chief Executive, other relevant department Executive Directors and SMES from legal, government relations and communications.  Board was briefed.  Our governing body the National Blood Authority was notified  Government was also briefed including Health Minister and Prime Ministers Department.  Throughout the day the investigation and analysis continued.  We were in contact with the person who found it via a third party. File was created on 5 th September by a vendor staff member and dropped on the file  server that day. So had been exposed for roughly 6 weeks  Forensic analysis of the server and the file showed it was touched 4 times and we could account for all of them

The Response – Week 1 Day 2  Database rebuilt  Independent risk assessment on the nature of the information exposed found that there was a “low risk of future direct misuse ”  Communications Plan established  SMS and email  Press conference  Scripts for the contact centre  Social media response team  Escalation process Day 3  Midday Press Conference  SMS and emails released Day 4 +  3000 responses required to enquiries come Saturday morning  Formulation of a broader security review was underway

The Response Week 1 – Social Media

The Response – Month 1 A number of reviews were scoped – • EY, PWC, KPMG • Privacy Commissioner investigation commenced • Controls on dissemination of information were tightened • Multiple streams of work were established • Business proposal created and initial funding granted by the Board to commence the remediation activities

The Plan that moved Initially determined that we needed four streams of work External – websites outside IT control  Internal – detect and monitor capability uplift  Data – where is it and who has it  Governance – policy and procedure review  The Ramp up  Impact on BAU activities and resources  Program of works defined  Acquired extra staff Reviews completed  115 Recommendations some with multiple actions associated with them  Policy and Process reviews  Tool set reviews and gaps identified  Training reviews and uplift of staff capabilities

Program Schedule Extreme & High Priority ICT Items – Mitigation Status 0 - 3 4 - 6 7 - 12 12 - 18 Time Period Total months months months months Audit 22 13 15 0 50 Target Agreed 24 12 10 6 52 Target Completed 24 12 10 5 51 Medium & Low Priority ICT Items – Mitigation Status Time 0 - 3 4 - 6 7 - 12 12 - 18 Total Period months months months months Audit 13 17 27 8 65 Target Agreed 14 6 38 7 65 Target Completed 14 6 38 3 61

Privacy Commissioner Findings  The root cause of the incident was a one-off human error on the part of a Precedent employee. The data breach occurred without the authorisation or direct involvement of the Blood Service, and was outside the scope of Precedent’s contractual obligations to the Blood Service. As such, the Blood Service did not disclose the information in question within the meaning of Australian Privacy Principle ( APP ) 6.  Furthermore, the Blood Service had in place policies and practices to protect personal information as required by APP 11.1, including documented information security policies and regular staff training. Nevertheless, there were two matters within the Blood Service’s control that were a contributing factor to the data breach and which constituted breaches of the Privacy Act. In particular, it appears that the incident would not have occurred but for:  the absence of contractual measures or other reasonable steps on the part of the Blood Service to ensure adequate security measures for personal information held for it by the relevant third party contractor, in breach of APP 11.1  the retention of data on the Donate Blood website for a longer period than was required, in breach of APP 11.2.

Enforceable Undertaking Review of third party management policy and standard operating procedure 1. The Blood Service undertakes to engage, in consultation with the OAIC, an appropriately experienced and qualified independent third party (the Reviewer ) to conduct the review outlined in paragraph 2 below. 2. Between July and December 2018, the Reviewer will review:  a. the Blood Service’s compliance with its Third Party Management Policy ( Policy ) and Third Party Management Standard Operating Procedure ( Procedure );  b. the effectiveness of the Policy and Procedure The Reviewer may make recommendations for improvements to the Policy and Procedure. The reviewer will provide a report of its review to the Blood Service and to the OAIC.

Vendor Management Policy  Maintain a register of vendors who handle Personally Identifiable Information on our behalf of who touch systems that may meant they have access to PII  Includes  Mail Houses  Survey Companies (Donor and Employee surveys)  Application support vendors  Organisations we disseminate information to (primarily government)  Conduct annual Information Security and Privacy assessments of each of them

Next Steps  Develop our Information Security Strategy and Roadmap  Complete the delivery of the program to date  Review the tactical decisions we made to address the reviews to ensure they align with the strategy  Complete the implementation of the tool sets  Vulnerability management  Managed Security Service (MSS)  Data Loss Prevention (DLP)  Cloud Access Security Broker (CASB)  Roll out new endpoint protection  Complete the roll out of Windows 10  Ensure all websites behind our Web Application Firewall (WAF)  Privileged Access Management  Conduct Annual Incident Exercises (first completed in Feb 2018)  Review staff training

Lessons  Get control of shadow IT  Know what data is stored outside your corporate network  Know who has access to it  Know what the Privacy Commissioner defines as reasonable steps and understand if you satisfy them  Review your Cyber Security Incident Response and Crisis Management Plans

There is always a Dave Questions?