A little bit Dave anatomy of the Blood Service data breach Mr - - PowerPoint PPT Presentation

@HISA_HIC #HIC18

Mr Laurie Joyce

A little bit Dave – anatomy of the Blood Service data breach

Australian Red Cross Blood Service

Blood Service Data Breach

Laurie Joyce IT Security and Compliance Manager

Headlines

Introduction

In October 2017 the Blood Service was made aware that Personally Identifiable Information of which it was the custodian was available on the internet. This presentation will cover –

 What happened  How we responded to the incident  The reviews undertaken  How we responded to the need to rapidly improve our Information

Security posture

Blood Service

 The Australian Red Cross Blood Service is entrusted with the supply of Australia’s

• blood. We collect, process and distribute life-saving blood products. We also deliver

world-class research and provide expertise in diagnostic, transplantation and other clinical services.

 1.3 million blood donations annually  500,000 active donors  3500 staff  80+ facilities  Federal Government Critical Infrastructure Classification

What Happened – the First Hour

• On Wednesday 26 October we were notified of the breach
• IP range had been blocked
• Investigation began and pointed to a marketing connection
• War room established by ICT
• People brought in on a need to know basis
• Next steps were starting to be planned

The Response – Day 1

Number 1 concern was the impact on the Blood Supply



A second war room was also quickly established consisting of the Chief Executive, other relevant department Executive Directors and SMES from legal, government relations and communications.



Board was briefed.



Our governing body the National Blood Authority was notified



Government was also briefed including Health Minister and Prime Ministers Department.



Throughout the day the investigation and analysis continued.



We were in contact with the person who found it via a third party.



File was created on 5th September by a vendor staff member and dropped on the file server that day. So had been exposed for roughly 6 weeks



Forensic analysis of the server and the file showed it was touched 4 times and we could account for all of them

The Response – Week 1

Day 2



Database rebuilt



Independent risk assessment on the nature of the information exposed found that there was a “low risk of future direct misuse”



Communications Plan established

• SMS and email
• Press conference
• Scripts for the contact centre
• Social media response team
• Escalation process

Day 3



Midday Press Conference



SMS and emails released Day 4 +



3000 responses required to enquiries come Saturday morning



Formulation of a broader security review was underway

The Response Week 1 – Social Media

The Response – Month 1

• A number of reviews were scoped –

EY, PWC, KPMG

• Privacy Commissioner investigation

commenced

• Controls on dissemination of

information were tightened

• Multiple streams of work were

established

• Business proposal created and

initial funding granted by the Board to commence the remediation activities

The Plan that moved

Initially determined that we needed four streams of work



External – websites outside IT control



Internal – detect and monitor capability uplift



Data – where is it and who has it



Governance – policy and procedure review

The Ramp up



Impact on BAU activities and resources



Program of works defined



Acquired extra staff

Reviews completed

• 115 Recommendations some with multiple actions associated with them
• Policy and Process reviews
• Tool set reviews and gaps identified
• Training reviews and uplift of staff capabilities

Program Schedule

Extreme & High Priority ICT Items – Mitigation Status

Time Period 0 - 3 months 4 - 6 months 7 - 12 months 12 - 18 months Total Audit Target 22 13 15 50 Agreed Target 24 12 10 6 52 Completed 24 12 10 5 51

Medium & Low Priority ICT Items – Mitigation Status

Time Period 0 - 3 months 4 - 6 months 7 - 12 months 12 - 18 months Total Audit Target 13 17 27 8 65 Agreed Target 14 6 38 7 65 Completed 14 6 38 3 61

Privacy Commissioner Findings



The root cause of the incident was a one-off human error on the part of a Precedent employee. The data breach

• ccurred without the authorisation or direct involvement of the Blood Service, and was outside the scope of

Precedent’s contractual obligations to the Blood Service. As such, the Blood Service did not disclose the information in question within the meaning of Australian Privacy Principle (APP) 6.



Furthermore, the Blood Service had in place policies and practices to protect personal information as required by APP 11.1, including documented information security policies and regular staff training. Nevertheless, there were two matters within the Blood Service’s control that were a contributing factor to the data breach and which constituted breaches of the Privacy Act. In particular, it appears that the incident would not have occurred but for:

• the absence of contractual measures or other reasonable steps on the part of the Blood Service to ensure adequate security

measures for personal information held for it by the relevant third party contractor, in breach of APP 11.1

• the retention of data on the Donate Blood website for a longer period than was required, in breach of APP 11.2.

Enforceable Undertaking

Review of third party management policy and standard operating procedure

• 1. The Blood Service undertakes to engage, in consultation with the

OAIC, an appropriately experienced and qualified independent third party (the Reviewer) to conduct the review outlined in paragraph 2 below.

• 2. Between July and December 2018, the Reviewer will review:

 a. the Blood Service’s compliance with its Third Party Management

Policy (Policy) and Third Party Management Standard Operating Procedure (Procedure);

 b. the effectiveness of the Policy and Procedure

The Reviewer may make recommendations for improvements to the Policy and Procedure. The reviewer will provide a report of its review to the Blood Service and to the OAIC.

Vendor Management Policy

 Maintain a register of vendors who handle Personally Identifiable Information on our behalf of

who touch systems that may meant they have access to PII

 Includes

• Mail Houses
• Survey Companies (Donor and Employee surveys)
• Application support vendors
• Organisations we disseminate information to (primarily government)

 Conduct annual Information Security and Privacy assessments of each of them

Next Steps

 Develop our Information Security Strategy and Roadmap  Complete the delivery of the program to date

• Review the tactical decisions we made to address the reviews to ensure they align with the strategy
• Complete the implementation of the tool sets

 Vulnerability management  Managed Security Service (MSS)  Data Loss Prevention (DLP)  Cloud Access Security Broker (CASB)  Roll out new endpoint protection  Complete the roll out of Windows 10  Ensure all websites behind our Web Application Firewall (WAF)  Privileged Access Management

• Conduct Annual Incident Exercises (first completed in Feb 2018)
• Review staff training

Lessons

 Get control of shadow IT  Know what data is stored outside your corporate network  Know who has access to it  Know what the Privacy Commissioner defines as reasonable steps

and understand if you satisfy them

 Review your Cyber Security Incident Response and Crisis

Management Plans

There is always a Dave

Questions?