PageUp security incident shows no sign of exfiltration

Australian authorities helping PageUp People recover from a security incident say that while some data was likely accessed by an unauthorised party, there is no evidence so far that it was exfiltrated.

In a joint statement, the Australian Cyber Security Centre (ACSC), the Office of the Australian Information Commissioner and IDCARE came out in support of PageUp and the way it had handled the incident to date.

The statement also provided important clarity around how information that may have been accessed in the incident could be used.

PageUp People, a maker of hosted recruitment and HR software, suffered a malware infection in late May that allowed an unauthorised party to gain entry to part of its systems.

Customers suspended their use of PageUp, particularly to underpin online recruitment sites, immediately following the disclosure of the incident.

ACSC head Alastair MacGibbon said late Monday that PageUp “self-identified” the issue, notified the relevant authorities and had kept its customers informed throughout the process.

“PageUp has demonstrated a commendable level of transparency in how they’ve communicated about, and responded to, this incident: they came forward quickly and engaged openly with affected organisations,” MacGibbon said.

While there were early fears of a large amount of data being compromised, it appears that these fears were unfounded, and most customers have now removed warnings about data like tax file numbers or banking details being potentially impacted.

To date, PageUp People has never definitively said it was breached; only that “on the balance of probabilities” some data was accessed by an unknown attacker.

What that attacker did with - or can do with - any data accessed could be of limited value, the ACSC, OAIC and IDCARE jointly said.

“While recognising that investigations are ongoing and that the situation may therefore change, the ACSC emphasises that there is a significant distinction between information being accessed (which means there has been a systems breach) and information being exfiltrated by the offender,” it said.

“In other words, no Australian information may actually have been stolen.”

IDCARE, a not-for-profit agency that employs identity and cyber security counsellors and analysts, said that “at this point IDCARE assesses that the direct risk of identity theft [from the PageUp incident] is unlikely”.

“Identity thieves typically require other forms of personal information to successfully manipulate this type of data, such as driver licence, passport, and account details, in order to obtain credit in a person’s name or related acts of impersonation,” IDCARE managing director Dave Lacey said.

“IDCARE assesses that there are other risks that are likely to be more relevant to impacted individuals, including the possibility of phishing emails, telephone scam calls, and specific risks to individuals concerned about their contact information, physical address, and employment details (and applications) becoming known to third parties.”

The organisations warned people that may be affected to change their passwords and to ignore phishing or otherwise scam-like emails and calls, which may seek to exploit some of the PageUp data.

Clear text password disclosure clarified

Also last night, PageUp People clarified its weekend disclosure that failed login attempt data up to 2007 may have exposed some password information in clear text.

It said last night that "a small number of PageUp error logs from before 2007 may have contained incorrect failed passwords in clear text".

In other words, the log file contained mistyped versions of passwords rather than the actual passwords themselves.

"Because failed passwords can be similar to correct passwords, if employees have not changed their password information since 2007, it would be prudent to do this now and anywhere where they may have used the same password," the company said.