On 1st June 2018, an online recruitment services organisation known as PageUp Limited notified their clients of a potential data breach affecting the integrity of their systems and information. The company first became aware of the malware infection on 23rd May but has released little information about it since. 
PageUp is a third-party human resources company that runs recruitment applications for other firms and organisations. In doing so, they hold the personal records of up to 2 million users across 190 countries, and provide services for a range of major clients including the Attorney General’s Department, ABC, Coles and Australia Post. Interestingly, PageUp never released a full roster of clients that were impacted by the attack, so it remains unclear how significant the breach was.
According to the company, the breach occurred during a coordinated attack on PageUp’s IT systems in Australia, Singapore and the UK. In line with Australia’s new Notifiable Data Breaches Scheme, the company notified customers in a joint statement with the Australian Cyber Security Centre (ACSC) and is now working with international law enforcement and independent security experts to respond to the intrusion. All clients, including Aldi and Jetstar, immediately suspended their PageUp career portals and alerted staff and past applicants that their information may have been compromised.
The information at risk includes names, addresses, phone numbers, dates of birth and referee contact details. While many experts believe that identity thieves typically require more solid personal documents such as drivers licences or passport details, others have pointed out that much of the data exposed would be a useful first step in stealing identities. Nevertheless, the ACSC explained that there is an important distinction between a security breach and the wholesale downloading of data. Specifically, they stated that the information has been accessed and not exfiltrated, meaning “no Australian information may actually have been stolen”.
However, the hack has effectively shut down or slowed the careers sites of the companies and government departments, with many switching to manual processes and moving to websites such as LinkedIn and SEEK. Interestingly, PageUp has recently stated that there are no further security threats and the majority of its customers have lifted their suspension. Despite this, clients including Aldi, Suncorp, Australia Post and the Commonwealth Bank have not returned, indicating the lasting impact such attacks have on the relationships between these companies and their third-party providers.
Many of the major companies impacted by the attack have released statements to their staff and past applicants with warnings and recommendations. Essentially, if you believe your information may be at risk, make sure you:
- Change your password on any online services that have the same password as your PageUp account;
- Enable multi-factor authentication and any other available security measures provided by your online services;
- Be aware of potential phishing emails or calls;
- Avoid opening attachments from unknown senders through emails, social media or your mobile; and
- Install anti-virus software on your devices and keep it updated.
Third-party breaches such as these have been identified as one of the greatest risks facing businesses today. In fact, Ticketmaster faced a similar breach in June this year. Agilient’s expert consultants can help you protect your organisation’s information, assets, clients and staff from these attacks by developing effective risk and security management and responses. Contact us today for more information.