Read this article from Computerworld. Red Cross is warning 1 million donors that they may be vulnerable to identity theft because of a single person who stole the social security numbers and other personal information of 4 donors and used the info to open credit card accounts and make purchases of over $1,000.
The article says:
The thefts occurred when the former employee, a telephone blood-drive recruiter, entered random numbers of past donors into her 8,000-donor database, then was able to access the names, Social Security numbers, phone numbers and birth dates of potential victims. The database uses unique donor numbers to store records for each person, and by entering random numbers, the recruiter was able to access the records of the four victims.
I have to commend the Red Cross for their remediation actions. The Red Cross quickly learned their lesson and fixed this problem (“Only names, phone numbers and birth dates are now accessible by blood drive recruiters). Moreover, even more kudos go to the Red Cross because they have gone much farther than they needed to by warning 1 million donors, even though it is likely that the breach is limited to 8,000 donor records to which this criminal had access.
So, even though there was a failure in principle of least privilege, the Red Cross seems to have done a very good job in remediation. Now I hope they move forward to take a look at their database security and security in general to stop this from happening again.
Vet
