Joint statement on the PageUp Limited data incident
PageUp self-identified suspicious activity on its network and undertook immediate actions to investigate and contain the incident. PageUp notified their corporate customers and the Australian Cyber Security Centre (ACSC) of the issue, enabling the ACSC to quickly assess the incident and support PageUp in their response. In line with the new Notifiable Data Breaches (NDB) scheme, PageUp also notified the Office of the Australian Information Commissioner (OAIC). PageUp is in contact with its corporate clients to facilitate notification to individuals.
Although investigations are ongoing, PageUp believes that certain information pertaining to staff members, applicants and referees was accessed by an unauthorised third party. Further information about the types of information affected can be found at PageUps website. PageUp has advised that no employment contracts, applicant resumes, Australian tax file numbers, credit card information or bank account information were affected.
While recognising that investigations are ongoing and that the situation may therefore change, the ACSC emphasises that there is a significant distinction between information being accessed (which means there has been a systems breach) and information being exfiltrated by the offender. In other words, no Australian information may actually have been stolen.
IDCARE is Australia's expert community identity and cyber support service and has been working with impacted organisations and members of the community in relation to this incident.
Dave Lacey, Managing Director, IDCARE says:
While it is important to acknowledge that breached personal information impacts people in different ways, based on investigations undertaken to date by PageUp, at this point IDCARE assesses that the direct risk of identity theft is unlikely. Identity thieves typically require other forms of personal information to successfully manipulate this type of data, such as driver licence, passport, and account details, in order to obtain credit in a persons name or related acts of impersonation.
IDCARE assesses that there are other risks that are likely to be more relevant to impacted individuals, including the possibility of phishing emails, telephone scam calls, and specific risks to individuals concerned about their contact information, physical address, and employment details (and applications) becoming known to third parties.
PageUp has provided public updates and has held multiple corporate customer information sessions facilitated through the ACSC to help keep affected organisations informed.
Alastair MacGibbon, Head of the Australian Cyber Security Centre and National Cyber Security Adviser, says:
PageUp has committed to advising impacted organisations and individuals if there are any new findings to arise as they complete their investigations. PageUp has demonstrated a commendable level of transparency in how they've communicated about, and responded to, this incident: they came forward quickly and engaged openly with affected organisations.
In this era of widespread cyber security threats, organisations must be prepared to prevent, detect and respond to incidents, to engage with relevant authorities and to provide timely and open communications to those affected.
Consistent with previous advice, the OAIC, ACSC and IDCARE jointly recommend that individuals who believe their information may be held by one or more of the organisations impacted consider the following measures:
- Immediately change passwords that may be the same as the one used during the recruitment process undertaken with impacted organisations.
- Regularly change passwords and make them hard to guess.
- Be wary of phishing emails by reviewing the sender of the email and be cautious of links and attachments if in doubt, make your own enquiries with the organisation and individual concerned using other means.
- Avoid telephone scammers good organisations dont call you and then ask for your details if in doubt, finish the call and do your own research by finding an alternative contact point and checking to see if the real organisation did call.
For general easy-to-use information for the public and small-to-medium businesses, visit the Australian Cyber Security Centres Stay Smart Online website.
To report a cyber security incident, visit the ReportCyber.
To notify the Office of the Australian Information Commissioner of an eligible data breach involving personal information, organisations should use the the OAIC's Notifiable Data Breach form.
Head of the Australian Cyber Security Centre and National Cyber Security Adviser
Acting Australian Information Commissioner and acting Australian Privacy Commissioner
Managing Director, IDCARE
ACSC working with PageUp People on security incident
Updated 13 June 2018
The Australian Cyber Security Centre (ACSC) is working with online recruitment service, PageUp People, to determine the full extent of the incident impacting its computer systems.
At this stage, PageUp's forensic investigation has identified that compromised data may include names, street addresses, email addresses and phone numbers. Some employee usernames and passwords may have been accessed but are protected using encryption.
PageUp is confident that the most critical data categories were not impacted, including rsums, financial information, employee performance reports, Australian tax file numbers and employment contracts.
PageUp has indicated the incident is contained and the threat has been removed. The company contacted the ACSC for advice and support, and has also informed the Office of the Australian Information Commissioner (OAIC) of the incident.
What can you do?
PageUp recommends that if you have used its online recruitment service, you immediately change your password.
If you think your details have been compromised you can contact the national identity and cyber support service IDCARE on 1300 432 273 or use their free Cyber First Aid Kit.
If you have been a victim of a cybercrime such as fraud, report it via ReportCyber
PageUp is providing detailed updates for clients and customers on its website.
Malicious cyber activity
Malicious cyber activity against Australian organisations continues to increase in frequency, scale, sophistication and severity.
To protect against malware attacks, we recommend you always:
- Patch/update all software and operating systems.
- Ensure computer systems are running antivirus software with the latest antivirus signatures.
- Consider implementing application control or, at least, software restriction policies to hinder the ability of malicious software to execute successfully.
Organisations can minimise the risk of cyber security incidents including malware attacks by following the Strategies to Mitigate Cyber Security Incidents.