PageUp People all but confirms personal data 'accessed'

Widely-used Australian cloud HR vendor PageUp People says that some personal data of job applicants that it holds was - “on the balance of probabilities” - accessed by an attacker.

The language is an upgrade on the company’s initial advisory that “client data may have been compromised” at the end of last month, when some of the company’s servers were infected with malware.

An unknown attacker used the compromise to gain access to the personal details of job applicants, as well as the usernames and passwords of PageUp employees, the company has now confirmed.

“While investigations continue, on the balance of probabilities, we believe certain personal data relating to our clients, placement agencies, applicants, references and our employees has been accessed,” it said in a new advisory.

“We continue to run forensic analysis, but based on our current information we believe data may include names, street addresses, email addresses, and telephone numbers.

“Some employee usernames and passwords may have been accessed, however current password data is protected using industry best practice techniques including hashing and salting and therefore is considered to be of very low risk to individuals.”

PageUp said that more detailed data and documentation it holds on job applicants was safe.

“No employment contracts, applicant resumes, Australian tax file numbers, credit card information or bank account information were affected,” PageUp said today.

“No data contained in our onboarding, performance, learning, compensation or succession modules was affected.”

Many of the company’s users had cited the extensive amount of information that PageUp collects as a reason to suspend recruitment operations, where those were underpinned by PageUp’s platform.

Within hours of the infection being revealed by iTnews last week, major customers including Coles, Telstra, Australia Post, Medibank, NAB, the Tasmanian Government, Suncorp, ALDI Australia, Jetstar, Macquarie Group, Target, Commonwealth Bank and Queensland Rail pulled their online recruitment sites offline.

Many more have followed between then and now.

PageUp encouraged its customers to switch their PageUp-powered recruitment sites back on.

“PageUp is safe to use,” it said.

“We have confirmed that the threat on our systems has been contained and eradicated. You can continue to use the PageUp system.

“We look forward to enabling customers, employees and job seekers to return to business as usual.”

In addition to the Australian Cyber Security Centre and Australian Federal Police, PageUp said it was now working with “multiple independent expert cyber security firms ... to address the incident.”

It apologised to everyone that had been impacted.

“We take privacy extremely seriously and are doing everything in our power to strengthen our systems and security processes.”