Cloud-based HR provider, PageUp has warned of a suspected data breach of its systems. The breach seems to be confined to its Australian subsidiary at the moment.
However, until the investigation is complete there is always the possibility that the attack may have involved a wider set of data.
The data lost has already had an impact on Australian companies who use the site to recruit new employees. It is reported in the Australian press that several high profile employers such as Coles, Telstra and Australia Post. Several other customers have posted notices on their websites over the potential impact of this breach.
As expected, PageUp has moved quickly to notify all the relevant authorities in Australia, including the Information Commissioner Office. It, in turn, has notified the UK Information Commissioners Office. In February new laws on reporting data breaches came into effect in Australia. Both customers and candidates will be watching carefully to see what the ICO rules in terms of responsibility and cause.
What is PageUp saying about the breach?
As well as notify the appropriate regulators, customer and users, PageUp has put up a page giving information on the breach. If comes with a foreword by Karen Cariss, CEO and Co-Founder. It also has an FAQ for those worried about the breach which it says it will keep updated.
Cariss wrote: “As part of our commitment to keeping our global community of users and partners informed, we wish to advise you of unauthorised activity discovered on the PageUp system.
“On May 23, 2018, PageUp detected unusual activity on its IT infrastructure and immediately launched a forensic investigation. On May 28, 2018 our investigations revealed that we have some indicators that client data may have been compromised, a forensic investigation with assistance from an independent 3rd party is currently ongoing.
“We take cyber security very seriously and have been working together with international law enforcement, government authorities and independent security experts to fully investigate the matter.
“There is no evidence that there is still an active threat, and the jobs website can continue to be used. All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password.
“We apologise for any concerns and inconvenience this incident has caused and have developed the below FAQs to help address any queries the community may have. These FAQs will be updated as any new information arises, and should serve as the central destination for updates about this matter. Thank you.”
What does this mean
Data breaches are a fact of life. Most organisations would prefer not to talk about them. However, changes to privacy and data protection laws around the world mean data breach notification is becoming more common.
Until we know the details on who, why and what it is difficult to know if this was an outsider or an insider attack. It could have been caused by malware installed via an email phishing attack. Alternatively it could be a disgruntled current or former employee. Knowing exactly what happened and how will help to determine if this was a technology failure or a systems failure.
This breach is more than a little embarrassing for PageUp. It has made a lot of the security on its website. It’s About Us section of the website has a section dedicated to security. In that section it lists all the things it does to protect data. It has a big section on penetration testing where it lists what it tests for and how it deals with failure. It also talks about defence in depth and how this makes it secure.
All of this is about reputational management and trust. That trust has now been damaged and it will be interesting to see what PageUp does next.