Cyber Incident Victim: Indian Blood Donors

On or around June 12, 2020, cybersecurity firm CloudSEK discovered a data leak involving the Indian Blood Donors organization, which operated the website www.indianblooddonors.com and a companion mobile application. The leak exposed sensitive information belonging to 12,472 registered blood donors. CloudSEK researchers identified forum posts advertising free access to the organization’s database, which contained donors’ personally identifiable information (PII), blood types, and account passwords stored in plain text. The researchers obtained and validated the entire database without cost, confirming its authenticity. The compromised data enabled unauthorized parties to access donor accounts on the Indian Blood Donors platform, modify personal details, or impersonate donors. The platform’s function of matching blood recipients with donors based on proximity and blood type raised additional concerns about potential misuse of the exposed location and health data.

The incident represented a recurrence of security failures in India’s healthcare data systems, following a similar 2019 breach involving another online blood bank that also ignored breach notifications. Indian Blood Donors failed to respond to security warnings prior to the data’s appearance on criminal forums, leaving donor accounts actively vulnerable. The plaintext password storage exacerbated risks, as credential reuse could facilitate attacks on donors’ other online accounts. No containment actions or remediation efforts by the organization were documented in available reports. Consequences included the exposure of donors to identity theft, fraudulent account activity, and targeted spam, while the broader pattern of unsecured health data highlighted systemic deficiencies in India’s protection of sensitive personal and medical information. The database remained accessible on multiple forums frequented by threat actors at the time of disclosure.