Software firm PageUp suffers a data breach..notifies affected users
June 6, 2018 |
There are signs that the complicated Data Breach Notification laws are having an impact. PageUp, a human resources firm has been hit by a data breach. It’s general statement is masterful in its vagueness providing:
As part of our commitment to keeping our global community of users and partners informed, we wish to advise you of unauthorised activity discovered on the PageUp system.
On May 23, 2018, PageUp detected unusual activity on its IT infrastructure and immediately launched a forensic investigation. On May 28, 2018 our investigations revealed that we have some indicators that client data may have been compromised, a forensic investigation with assistance from an independent 3rd party is currently ongoing.
We take cyber security very seriously and have been working together with international law enforcement, government authorities and independent security experts to fully investigate the matter.
There is no evidence that there is still an active threat, and the jobs website can continue to be used. All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password.
We apologise for any concerns and inconvenience this incident has caused and have developed the below FAQs to help address any queries the community may have. These FAQs will be updated as any new information arises, and should serve as the central destination for updates about this matter. Thank you.
Even with the woolly language it is clear there has been a significant data breach involving personal information, “client data may have been compromised”.
The Information Commissioner has issued a statement even more beigelike providing:
The Office of the Australian Information Commissioner is aware of an incident involving PageUp People Limited, a provider of human resources services for a number of Australian entities.
The OAIC is in contact with PageUp and the Australian Cyber Security Centre about the incident.
PageUp has issued a statement on its website. https://www.pageuppeople.com/unauthorised-activity-on-it-system/
The Notifiable Data Breaches (NDB) scheme, which commenced on 22 February 2018, requires organisations to notify affected individuals and the OAIC where there is a likely risk of serious harm to any of the individuals whose personal information is involved in an eligible data breach.
The OAIC has published a number of resources for those affected by a data breach and action they can take: https://www.oaic.gov.au/individuals/data-breach-guidance.
If anyone has concerns about this incident they can, in the first instance, contact PageUp at security-enquiries@pageuppeople.com, and if not satisfied with their response they can contact the OAIC at www.oaic.gov.au or on 1300 363 992.
The ABC report highlights the potential impact of this data breach in Bank details, TFNs, personal details of job applicants potentially compromised in major PageUp data breach. Zdnet’s coverage Malware hits HR software firm PageUp with possible data compromise highlights the need to have a proper response plan. PageUp notified the UK Information Commissioner’s Office and the UK National Security Centre as well as the Australian Cyber Security Centre and the the Australian Computer Emergency response team. It really is important to have a response plan which should include:
- a plans for each major incident type of interference and determining what types of data could be compromised.
- having timeframes and objectives in responding to each type of breach.
- assigning roles and responsibilities for management and staff. The involves having clear lines of reporting and specific decision making powers and who in the organisation makes what decision.
- having clear, comprehensive and up to date contact lists, checklists and guides.
- a process to alert necessary authorities, suppliers and external agencies.
- having a proper public relations and media management plan. That will determine what, how and when to provide advice to customers/clients? Having a designated media spokesperson is critical.
- regularly scheduled reviews of plans.
- a post-incident review .
With a large organisation like PageUp the breach has impacts on other large organisations which use its services, here Telstra. Getting on top of the breach is critical. The reputational damage can be enormous.