HR Service Provider PageUp Discloses Data BreachCustomers Include Aldi, Lindt, Australia Post, Commonwealth Bank and Telstra
Australian HR service provider PageUp, which serves a variety of organizations worldwide, says malicious software may have compromised client data as well as usernames and passwords.
The company detected "unusual activity" on its systems on May 23, according to a notification on its website. Five days later, the company determined that some data may have been exposed, but it is still evaluating the scope.
"As a result of ongoing investigations and potential law enforcement involvement, we are limited in what technical details we can disclose since we do not want to impact these efforts," the company says. It reports that the malware has now been removed from its systems. "We see no further signs of malicious or unauthorized activity and are confident in this assessment."
PageUp says it's working with outside security experts and consultants on the investigation and has shored up its defenses.
"We apologize for any concerns and inconvenience this incident has caused," writes Karen Cariss, PageUp's CEO and co-founder.
PageUp Customers: Cold Feet
PageUp's customers include confectionary maker Lindt, the grocery chains Aldi and Coles, the Reserve Bank of Australia, Victoria University and the insurer Zurich. The company says it has more than 2 million active monthly users in 90 countries.
It develops a range of cloud-based applications that companies use to hire employees, onboard new workers and manage performance reviews. It also develops software to manage contractors, their payrolls and time sheets.
The breach has the potential to expose a variety of highly personal information, and some of PageUp's customers have taken action.
Grocery chain Coles says it has suspended all data connections with PageUp until it learns more.
Australian telecommunications company Telstra and Australia Post also suspended connections. The HR system of Australia's Commonwealth Bank, which also uses PageUp, returned an "under maintenance" banner on Thursday, as well of that of energy provider AGL.
Australia Post says PageUp, which it has used since October 2016, stores a variety of data for applicants who become employees of the postal service. The data includes tax file numbers, superannuation details; diversity information; employment offers and conditions; questions around employment eligibility or Australian citizenship; education and work experience details; and mobile phone numbers.
"To be clear, there is still no evidence that Australia Post Group job applicants' data has been compromised," the organization says.
Documents Were Segregated
PageUp says the breach may have exposed data, such as name and email address, as well as authentication credentials. The company used bcrypt to hash plain-text passwords, which is considered the best industry practice to protect passwords.
"All client user and candidate passwords in our database are hashed using bcrypt and salted; however, out of an abundance of caution, we suggest users change their password," the company says.
Job candidates upload their personal information as part of job applications, including resumes and salary histories. PageUp may also store signed employment contracts. The company, however, says that documents, including employment contracts and resumes, are stored on a different infrastructure, which appears to be unaffected by the malware.
"We have no evidence that the document storage infrastructure has been compromised," the company says.
PageUp has notified Australia's Office of the Information Commissioner and the U.K.'s Information Commissioner's Office.
An amendment to Australia's Privacy Act that became effective in February requires organization to report serious breaches to the OAIC and those affected within 30 days (see Australia Enacts Mandatory Breach Notification Law).
The OAIC released its first report on reported breaches in April. The report covered the period between Feb. 22 - the day the law went into effect - through March 31.
Sixty-three incidents were reported. The most common cause of breaches was human error, at 32 percent, followed by malicious or criminal attack at 28 percent.
Breaches affecting residents of Europe must be reported to regulators and to those affected with in 72 hours under the EU's General Data Protection Regulation, which came into effect last month (see Europe's Strong GDPR Privacy Rules Go Into Full Effect).
PageUp says it has also notified Australia's Computer Emergency Response Team and plans to notify the U.K. National Cyber Security Centre.