SaaSy HR outfit PageUp reports ‘unauthorised activity’ and data breach
Supermarket chain warns job-seekers from last 18 months. Bank, telco also worry
SaaS HR platform PageUp has revealed “unusual activity on its IT infrastructure” and “revealed that we have some indicators that client data may have been compromised”.
There’s bad news, semi-ok news, and bad news here: the bad is that the company isn’t sure what data was accessed, but thinks it was limited to “name and contact details” and “… could also include identification and authentication data e.g. usernames and passwords.”
But the other bad news comes from users of the service saying that job applications may have included tax file numbers and drivers' licence data.
The semi-ok news is that the passwords are hashed and salted.
Also semi-ok is that “Documents, including signed employment contracts and resumes, are stored on different infrastructure” an PageUp has “no evidence that the document storage infrastructure has been compromised.” The company says the activity was caused by malware, which “has been eradicated from our systems and we have confirmed that our anti-malware signatures can now detect the malware. We see no further signs of malicious or unauthorised activity and are confident in this assessment.”
The company’s informed the UK Information Commissioner’s Office, the Australian Cyber Security Centre and the Australian Computer Emergency Response Team, which may yet chat with the Australian Federal Police. “We will also be informing the UK National Cyber Security Centre (NCSC),” the company’s statement says.
Which is all very responsible, but this gets worse PageUp's clients include Telstra, National Australia Bank, Medibank and other very large employers.
Giant Australian supermarket chain Coles has notified applicants that it “is among a number of large Australian organisations who may have been impacted by a data security incident at human resources technology provider PageUp.”
Coles has over 100,000 employees and attrition rates in the retail industry often exceed 30 per cent a year. The chain has recommended “that any person who has applied online for a position with Coles in the past 18 months check to ensure that there has been no recent unusual activity concerning their personal information and maintain a close watch on the use of their personal information.”
By The Register’s count, that could be 40,000-plus people at Coles alone, with tens of thousands more at other PageUp users. PageUp also operates in the UK, Singapore and The Philippines, so the impact is probably wider still. ®