PageUp Breach: Job Winners Hit HardestSuccessful Job Applicants Had Additional Data Exposed
Nearly three weeks after human resources software vendor PageUp discovered malware on its system, the tally of what data was exposed remains unclear, although successful job applicants appear to have been hardest hit.
The breach, which occurred on May 25, has affected many of Australia's top companies, as well as PageUp customers around the world. PageUp's software is used in 90 countries.
PageUp develops a range of cloud-based applications that companies use to hire employees, onboard new workers and manage performance reviews. It also develops software to manage contractors, their payrolls and time sheets.
Many Australian organizations - including Telstra, broadcaster ABC, grocery chain Coles, Australia Post, Officeworks and Commonwealth Bank - have paused using PageUp's systems even though the company says it has mitigated the malware infection that led to the breach.
I've applied for many many jobs in the last 18 months and all these PageUp security emails are doing nothing to ease my mind. They have my name, DOB, address, email address, education and employment history.— EB (@invertedbee) June 14, 2018
Meanwhile, individuals who submitted job applications to companies via PageUp's software have been expressing their frustration and concern over the impact of the breach. As with all breaches, the personal information leaked can't be reeled back. So PageUp has been issuing the standard post-breach advice: Watch for unusual activity, and beware of phishing emails and phone calls seeking your personal details.
"I've applied for many, many jobs in the last 18 months and all these PageUp security emails are doing nothing to ease my mind," writes Erin Beaumont on Twitter. "They have my name, DOB, address, email address, education and employment history."
She continues: "If you're asking someone to submit this level of personal information, your system needs to be adequate to protect that information. A 'hey, this happened and we're sorry' email is insufficient. This is not a whoops, change your password issue."
Flurry Of Notification Emails
Unfortunately, changing passwords is one of the few concrete steps that breach victims can take. There's a risk of account takeover for those who have use the same password for PageUp on other websites. PageUp says it's a low risk, however, because it had hashed and salted the breached passwords.
Under an amendment to Australia's Privacy Act 1988, organizations are required to report serious breaches to regulators and victims within 30 days. The mandatory breach reporting scheme came into effect on Feb. 22 (see Australia Enacts Mandatory Breach Notification Law).
The notification requirement applies to the entity that has the most direct relationship with anyone whose personal information was exposed. Because many Australian companies use PageUp's systems, the incident has prompted a flurry of email notifications to consumers from those companies, which are also required to file notices with the Office of the Australian Information Commissioner.
My inbox is full of PageUp data breach emails today. Hey companies using PageUp: Use better recruiting systems please. It's an awful experience for people using it and even more so now— Michael Meloni (@michaelmeloni) June 13, 2018
"My inbox is full of PageUp data breach emails today," writes Michael Meloni, who publishes a marketing-focused blog called PassengerWise. "Hey companies using PageUp: Use better recruiting systems please. It's an awful experience for people using it, and even more so now."
In an update on the incident published Tuesday, PageUp said that the leaked data included names, street addresses, email addresses and phone numbers. But it appears that those who have successfully landed jobs may also have had additional data exposed.
For example, Telstra says the data at risk for those individuals may include birth dates, nationality, employment offer details, employee numbers for either current or former employees, pre-employment check outcomes and referee details. The grocery chain Aldi also says successful applicants may have had their birth date, employment offer details and employee numbers breached.
The law firm King & Wood Malleson says in a notice that details at risk for those who applied for positions within Australia include gender, maiden name, nationality and whether the applicant was a local resident when the application was made.
Also at risk were current employment details when an application was made, the firm writes. That includes employment status, company and title, it says. Information provided by references may have also been at risk, including "technical skills, special skills, team size, length of tenure with company, reason for leaving that position (if applicable), and the length of relationship between the applicant and reference."
Other companies that use PageUp have shared few details about how their applicant or employees are affected, saying they've requested and are still waiting to receive more information from PageUp.
PageUp has said other information, such as employment contracts, applicant resumes, Australian tax file numbers, credit card and bank account information was not affected because that data was stored on separate systems.
The company has yet to specify the total number of breach victims. But it is not required under the mandatory breach notification requirement to release that figure, according to HopgoodGanim, a Brisbane-based law firm.
PageUp does, however, say it has 2 million active monthly users, which means there may be more disclosures from companies to come as the investigation into the breach continues. Officials at PageUp could not be immediately reached for comment on Friday.