SYDNEY, Australia - Popular HR software firm PageUp is said to have suffered a possible cyber attack, which the company believes may have compromised the personal information of thousands of Australians.
According to reports, on May 23, the Sydney-based company noticed “unusual activity” within its IT infrastructure which prompted it to open an investigation.
The data breach at PageUp, which boasts of 2 million users across 190 countries, and top clients from various sectors, including Telstra, NAB, Officeworks, Australia Post, Kmart, Coles, Australia Post and Medibank - could have possibly leaked the bank details, tax file numbers and home addresses of thousands of Australians.
In a statement by the company’s CEO and co-founder Karen Cariss, the SaaS provider stated that it had immediately launched a forensic investigation after the malware was spotted on its system.
It said, five days later, its investigations revealed "some indicators" that client data may have been compromised.
The statement added, "If any personal data has been affected it could include information such as name and contact details. It could also include identification and authentication data e.g. usernames and passwords which are encrypted (hashed and salted). There is no evidence that there is still an active threat, and the jobs website can continue to be used. All client user and candidate passwords in our database are hashed using bcrypt and salted however, out of an abundance of caution, we suggest users change their password."
It however, clarified that signed employment contracts and resumes are stored on a different infrastructure to that which was affected.
It added that so far, there is no evidence that the document storage infrastructure has been compromised.
Cariss further added in the statement that PageUp has been working with international law enforcement, government authorities, and independent security experts to "fully investigate" the matter.
The company also noted that as a result of the investigation, it is unable to provide further detail on what information has been affected.
The company’s statement noted, "Since becoming aware of unauthorised access we have been urgently analysing the impact and consequences of this incident and have engaged independent digital forensic expertise, who have been attempting to identify what, if any personal data may have been accessed. That said, we can share that the source of the incident was a malware infection. The malware has been eradicated from our systems and we have confirmed that our anti-malware signatures can now detect the malware. We see no further signs of malicious or unauthorised activity and are confident in this assessment."
Meanwhile, after the breach was reported, clients of PageUp began issuing emergency statements to employees and customers, while experts noted that the alleged breach is the first of its type since the government introduced mandatory reporting for data breaches.
Reports quoted Nigel Phair, a cyber security expert at the University of Canberra as saying that under this new legislation, any company that suspects a data breach is required to report it immediately.
Phair pointed out, “So it is difficult to say whether this is the biggest data breach we have experienced in Australia, because in the past companies were not compelled to report breaches to authorities. What this demonstrates is that all Australian companies, not just financial institutions, need to take cyber security seriously.”
In a statement on Tuesday, Australia Post said that the job applicants who were successful, may have had details such as their Tax File Numbers, superannuation and home addresses compromised because of the breach.
The company’s spokesperson added, “As a proactive step, we have also ceased use of PageUp's systems while we seek assurances from PageUp about data security.”
Further, another PageUp client, Medibank said that it had suspended its careers page and is now “working with PageUp to determine whether the data of its applicants has been compromised.”
Meanwhile, Australian telecommunications provider Telstra said in a statement that all recruitment activity has been suspended while the company holds “urgent discussions” with the telco giant.
Telstra wrote in its statement, "In most cases, the personal information that could be potentially impacted is the applicant's name, phone number, application history, and email address. For those whose applications were successful, the data in PageUp's systems may include: Date of birth, employment offer details, employee number (if a current or previous employee), pre-employment check outcomes, [and] referee details."
PageUp meanwhile added in its statement that it has informed the U.K. Information Commissioner's Office and the U.K. National Cyber Security Centre in line with its obligations for PageUp People's own staff data, where the local arm is a data controller.
On Tuesday, the Australian Cyber Security Centre and Australia's Computer Emergency Response Team were said to have been informed about the breach.
PageUp meanwhile added that it has also liaised "as appropriate" with the Office of the Australian Information Commissioner (OAIC).
(c) 1998-2018 Big News Network. All rights reserved. Provided by SyndiGate Media Inc. (Syndigate.info)., source Middle East & North African Newspapers