PageUp People revises data impacted by breach

PageUp People has finally revealed the quantum of data that may have been compromised by a recent breach, including what it says is a “very small amount” of password data held in clear text.

The Australian cloud-based recruitment and HR software provider was hit by a malware infection in late May, which led to an unauthorised user gaining access to some of its systems.

It has, to date, said its “current” password data holdings were safe, owing to its use of “industry best practice techniques including hashing and salting”.

The company continues to maintain this to be the case for the majority of people that may have come into contact with PageUp, such as when they were applying for a new job or after accepting one.

However, the company said overnight that it had uncovered a circumstance that may have affect users from 2007 or before.

This circumstance could affect “employees/former employees of PageUp clients”, who have proven to be many of Australia’s top corporates, government agencies and universities.

“Failed login attempt data from 2007 and before contained a very small amount of password data in clear text,” PageUp said in a revised FAQ.

“If employees have not changed their password information since 2007, it would be prudent to do this now and anywhere where they may have used the same password.”

For people that either remain employed or left employment with any of PageUp’s clients, the software maker said that data that may be impacted by the breach included “name, email address, physical address, and telephone number”, as well as “employment information (including employment status, company and title, and whether they were the registered contact for communications from PageUp).”

For people who applied for a job through a PageUp-powered recruitment site, a larger amount of personal data may have been compromised.

The extra data included “biographical details including gender, date of birth, and middle name (if applicable), nationality, and whether the applicant was a local resident at the time of the application”.

Also impacted could be the personal data of anyone submitted as a work reference through PageUp’s system.

The company also said some external recruitment agencies may also have had some contact data compromised.

PageUp also slightly altered its wording around the safety of more complex datasets that it holds.

Many of its customers cited concerns about this types of data in their reasons for suspending their use of PageUp’s technology services.

When it last provided an update on June 12, it said that “no employment contracts, applicant resumes, Australian tax file numbers, credit card information or bank account information were affected”.

In its latest FAQ this is dealt with under a subsection titled, “information we believe is not affected”.

“We are confident that the most critical data categories including resumes, financial information, Australian tax file numbers, employee performance reports and employment contracts are not affected in this incident,” PageUp said.

It continued to say that “no data” in its onboarding, performance, learning, compensation or succession modules was affected. It also added mid-week that data collected in “new starter forms” was also unaffected.

Major companies make recommendations

Though PageUp continues to make public assurances that its systems have been rectified and are “safe to use”, most of its customers appear to have maintained suspensions of PageUp-powered recruitment sites.

Some of its customers impacted include Coles, Telstra, Australia Post, Medibank, NAB, Suncorp, Jetstar, Macquarie Group, Queensland Rail, Target and the Commonwealth Bank.

Several updated their guidance to anyone that had applied or gained employment.

Medibank recommended that users contact the insurer “to request deletion of your Medibank PageUp profile.”

“If you have applied for jobs with other companies who use PageUp we recommend reaching out to them directly,” Medibank said.

The health insurer also recommended that users “consider subscribing to an identity monitoring service with one of the credit reporting agencies (including Dunn & Bradstreet and Equifax) approved by the Office of the Australian Information Commissioner.”

Some, such as ASX-listed maintenance company Programmed, suggested they would restart their use of PageUp services soon.

“Programmed will shortly recommence using PageUp to process recruitment advertising, job applications and offers,” it said in a revised FAQ of its own.

Other customers did not indicate what their future plans for PageUp use were in updates over the weekend.