Observations
In this case study of the security breach at the Australian Red Cross Lifeblood, IBRS highlights that at the core of an effective cyber incident response is incident response planning, transparency in communications, and taking accountability with stakeholders.
The Context and the Breach
The Australian Red Cross Lifeblood (formerly Blood Service) is an organisation entrusted with the supply of Australia’s lifesaving blood and blood products. It receives over 1.3 million voluntary blood donations annually and with 500,000+ active donors, it is classified by the federal government as critical infrastructure. At the time of the breach, Lifeblood was relatively immature in terms of cyber security and cyber incident response plans were non-existent. Its chief information officer (CIO) had been with the organisation for only a relatively short time.
In October 2016, the CIO of Lifeblood was notified by the Australian Cyber Emergency Response Team (AusCERT) that one of its major donor databases, containing personal details, had been exposed to the internet. The informant that had made contact subsequently notified Lifeblood that he would brief the media within 72 hours, unless Lifeblood made a public statement.
The Immediate Response
Within the first few hours, Lifeblood blocked internet access to its donor database. A command center was established to plan the next steps and the board was informed. It also engaged third party specialist support: AusCERT, forensics and the Australian Cyber Security Centre. The initial investigation pointed to information held by a third party.
As in most organisations without a cyber security plan, the initial hours were marked by a number of known facts but a much larger number of unknown details. The incident was verified as genuine but there were significant questions as to how the incident had occurred, the extent of the breach, and whether the information had been accessed from Australia or from overseas.
In the first week following the incident, Lifeblood’s team immediately adopted principles of maintaining trust and informing its donors. By day 3, Lifeblood conducted a press conference on site, took responsibility for the incident and contacted all of its donors by SMS and email.
On day 4, over 3,000 responses were required to enquiries resulting from the mass communication. Lifeblood pivoted quickly to set up an internal task force and a communication team to triage and respond to individual donor queries.
For the 1st month, Lifeblood initiated a number of independent reviews and the Privacy Commissioner started its investigation. At the same time the board commissioned a comprehensive cyber security review of Lifeblood.
Tight controls on outbound information/data were put in place and external data stores were hardened. Lifeblood’s board immediately approved funding to commence the security uplift. A specialist security organisation was commissioned to monitor the dark web for signs of donor data compromises. Fortunately, no traces of compromise were found after 9 months of monitoring.
Lifeblood’s Crisis Management and Governance
Although lacking a specific cyber security plan, Lifeblood was well versed in crisis management. In the immediate aftermath, various sub teams were established in close proximity to support the primary crisis team i. e., the crisis was managed at the enterprise level, including line of business executives, ICT, legal, corporate communications, and HR. A board subcommittee was established for ongoing oversight and recovery.
Some Key Lessons
A number of factors contributed to Lifeblood’s successful management of the crisis and maintaining its trusted relationship with its donor base. The key ones were:
- Transparency in communication with the impacted stakeholders and taking direct accountability, rather than blaming third parties.
- A comprehensive response at the enterprise level with a sense of urgency.
- Access to specialist expertise, rather than just relying on internal skills – forensics, cyber incident management and public relations.
- To show accountability and communicate their concern to their stakeholders, Lifeblood made a point that the critical inquiries were fielded by senior executives as well as operational staff.
While achieving a successful outcome, the path through the crisis was not always clear, nor direct. Many consequences of decisions were unforeseen at the time, such as the level of resources required to respond to the volume of queries.
Significant Outcomes for Lifeblood
The aftermath of the incident and Lifeblood’s immediate response resulted in largely positive and unexpected outcomes:
- Two enforceable undertakings by the Privacy Commissioner, albeit no fines were imposed.
- No widespread access to donor data detected, in large part due to prompt action and good fortune.
- Overall, maintained trust with donors who appreciated the transparent communications.
- Significant investment and uplift in cyber security capability and breathing room for problem projects which were subsequently reprioritised in favour of the security initiatives.
- Enhanced reputation for management of crisis and considered an exemplar.
- Tight governance of information was established and supported by the executive.
- Cultural change and awareness of cyber security across the organisation.
- Significantly enhanced the motivation of teams involved in the crisis.
With the Benefit of Hindsight
Although Lifeblood’s crisis response was publicly commended, a number of measures would have minimised the exposure and possibly prevented the breach. Some of these are:
- Get Control of Shadow IT Through Governance: in many organisations, so-called Shadow IT controls systems and data without the necessary security skills and safeguards. While it may not be feasible nor desirable to control it directly, organisations need to govern security at the enterprise level. For example, an organisation needs to know what data it stores, where it is stored, who has control over it, and who has access to it.
- Manage Third Party Risk: while the risk in utilising tier 1 vendors is typically low, many organisations entrust their data, systems and services to smaller third parties. This often creates a point of exposure which may be overlooked. Establishing and monitoring the security posture of vendors holding critical data is an important mitigation strategy.
- Develop a Cyber Security Response Plan: while cyber incidents never evolve according to plan, having no plan creates additional duress for decision makers in the organisation, possibly lowering the quality of decision making.
Next Steps
- If you are a new CIO, undertake a baseline assessment of your current security posture and identify the gaps. Make sure those gaps are visible to your board.
- Articulate the risk to your board, as many boards now consider cyber security risk a priority.
- Develop and exercise a cyber security response plan. Having a mind map on how to respond in a crisis is much better than having no plan.