IndexIntroductionMethodologyThreats of a Data BreachThe CIA Triad and its ApplicationsLegal and Ethical Issues Related to the BreachTypes of Information BreachedChanges to Information ManagementOAIC ResponseConclusionIntroductionIn today's world, every person and organization is connected to each other to communicate and exchange data via the internet. Without a doubt, the Internet has made our lives empowering and supportive. Moreover, the exposure of data to cyber attacks has expanded exponentially with the development of the internet world. Aside from the fact that it is common to hear news of recent cyber attacks in connection with the breach of anonymous information of large organizations, this exasperating circumstance highlights the extraordinary need to strengthen existing controls against these breaches. Say no to plagiarism. Get a tailor-made essay on "Why Violent Video Games Shouldn't Be Banned"? Get Original Essay On September 5, 2016, a database containing statistics on 550,000 potential blood donors who had entered their information into the website was copied directly into a backup file that was stored on a public-facing network server. That Internet server had directory listing enabled (so the reality that it emerged as a SQL database was discoverable). The backup data appears to be created and stored via a method of Precedent Communications Pty Ltd, the IT service for the Red Cross, so that it can "test any new functionality with real information" and the server becomes part of User Acceptance Testing (UAT ) environmental (Siganto, 2017). An unspecified individual found the data by scanning file lists and told what he discovered to Troy Hunt, a well-known Australian cybersecurity identity, on October 25, 2016, about 50 days after it was first disclosed time on the server. . The unspecified person provided Troy with information about Troy and his wife, each of whom were donors to demonstrate his good faith. Troy decided to alert AUSCERT who then spoke to the Blood Service (who was an existing consumer) and continued to help them with their ongoing response (Siganto, 2017). At the time of the incident, according to the report, registered entries using viable donors remained on the backend of the Donate Blood website, as well as being passed on to the Blood Service. The website's production environment was hosted for Precedent by Amazon Web Services. The non-production environments, along with the website's User Acceptance Testing (UAT) environment, were hosted and managed directly through Precedent. The UAT environments contained a replica of the website, along with buyer information that was "updated" on a monthly basis. It contained a reproduction of all statistics entered into the production version of the Donate Blood website. According to the report, the surroundings of the UAT were protected via Precedent through a wide variety of mechanisms. However, parts of the network server on which the UAT environment once resided have been publicly accessible, as stated in the file about Precedent's involvement in the breach (Spencer, 2017a). Methodology This paper will delve into how well-implemented manipulation should have altered the outcome of the breach. the accident. the method applied to assemble the case assessment could be mentioned and noted, furthermore, the data security principle of Confidentiality, Integrity and Availability (CIA) could be mentioned and applied in this context. Furthermore, you could thoroughly analyze the threats and vulnerabilities that enabled the attackmanifest itself and, in the long term, be successful. furthermore, the protection mechanisms of an area to be protected from threats can be examined. furthermore, the approach to the objectives after the violation can be evaluated after the violation. in the end, it was possible to mention and complete the considerable instructions learned from the incident. The analysis could be summarized and the end could be provided. Threats of a data breach Threats of a data breach had a direct impact on the public or donors who had been giving blood for a long time. Their personal information exposed which, if it ends up in the wrong hands, can be misused in many aspects of security. Nowadays, a person's personal information is directly associated with multiple organizations and services. In this situation the attacker can access those services with the disclosed information. CIA triad and its applications The CIA triad (Confidentiality, Integrity and Availability) of information protection is a data protection reference model used to evaluate the statistical protection of a company. The CIA Information Security Triad implements security using 3 key factors associated with information systems which include confidentiality, integrity, and availability. In this case, confidentiality means that the data or information is accessible only to the authorized person. Integrity refers to maintaining data in its original form without modifying or altering it. And availability means that the data should be available at any time, when needed, without any problem from the authentic user (Gibson, 2011). In this Red Cross data breach case, confidentiality was compromised. Confidential blood donor data such as name, email, gender, blood type, date of birth and address are exposed. Along with this, there are answers to some questions that are very personal to users, such as whether they are taking antibiotics or whether they have engaged in risky sexual behavior in the past six months. This is very critical information that should not be disclosed. . This could significantly affect the personal life of the users or the donor. Although the data has been exposed for a while, there are no proven facts that it has been altered in any way. Therefore, the data integrity may have remained intact. Additionally, there was no data availability issue for the organization as the exposed data was a dump file. Legal and ethical issues with the breach The information breach was caused by human error by a previous worker. This occurred without the authorization or direct involvement of the Blood Service and fell outside the scope of Precedent's contractual responsibilities towards the blood supplier. The blood bearer did not reveal the records document, within which means violation of APP 6. Although the root cause of the information violation was an invisible human error on the part of a worker of Precedent. However, the mistake was made within the scope of the individual's duties and, as such, the information breach was a "disclosure" under the Australian Privacy Principle APP-6. The precedent violated the Privacy Act in relation to APP 6 and APP 11 by: disclosing the non-public records of people who had made an appointment on the Donate Blood website, in violation of APP 6, by not having adopted accessible measures to properly mitigate the risk of data breach and to protect non-public facts held from unauthorized disclosure, in violation of the APP11.1(commissioner, 2017). Types of information breachedThe list of data attributes collected from donors was disclosed in the breach. There was a list of all the donors and information about them. Some of them are: Name and surname Gender Date of birth Blood type If they have already donated Type of donation E-mail address Telephone number And some questions on the suitability of the donor A point of precise sensitivity is the collection of answers on the suitability of the donor donor. Each donor is asked questions, including whether or not they are taking antibiotics, whether they are under or overweight, and whether they have had any current surgeries, in the remaining twelve months, have they engaged in risky sexual behavior or not, etc. it could be a deeply personal topic that could be exceptionally sensitive if the answer is yes (Hunt, 2016). Information Management Changes After the records breach, the Blood Bearer performed an overview of its fact management practices and installed changes to the place to decorate its practices. those protected steps: demolish all ancient information from the Donate Blood internet site database by deleting private records accumulated via the website every fortnight by expanding and enforcing a third-party management policy and a third-party management standard operating procedure to disclose third-party companies' compliance with appropriate privacy and data security practices and procedures. updating the terms of the model contract for the purchase of services and products to include comprehensive security and privacy requirements. changing the procurement technique so that a PIA is completed before any large deal is negotiated to ensure that confidentiality and information sharing are taken into account and adequate protections are in place. Accelerate and increase the overview of its IT and technology structures, engaging external consultants to verify the incident control response and information security governance, strategies and structures, with the aim of identifying areas for development and techniques to implement these advances. (commissioner, 2017). limitation of personal data collected through the Donate Blood website as all eligibility questions are now grouped at the bottom of the questionnaire and it states that a person can be directed to the contact center if they answer "yes" to any of the grouped questions. Most of the information acquired through the website is called donoride variety, date of birth, address, telephone number, email address and gender (commissioner, 2017). OAIC responds According to the OAIC, precedents have breached privacy law in relation to APP 6 and APP 11 – which requires an APP body to take active steps to ensure the security of personal data it holds through disclosure of the private information of people who made an appointment on the Donate Blood website and for failing to take reasonable steps to adequately mitigate the risk of a data breach. At the same time, the OAIC determined that the data breach occurred without the authorization or direct involvement of the blood supplier and went beyond the scope of the precedent's contractual responsibilities to the blood supplier. The OAIC found that the blood carrier had breached APP 11, "in respect of information on the Donate Blood website, by retaining the information indefinitely and by failing to have adequate measures in place to protect information concurrently held by third party contractors". The measures taken by Blood Carrier to defend the information.