PageUp 'victimised' by disclosure laws: MacGibbon

Australia’s national cyber security adviser has blamed a “conflict of laws” for forcing PageUp People to disclose last month’s malware infection before it could properly assess the damage caused.

Alastair MacGibbon.

Alastair MacGibbon told CEDA’s state of the nation conference in Canberra today that premature disclosure of the incident led to the Australian recruitment cloud service provider being “in a sense ... victimised”.

MacGibbon went beyond comments he made last week in support of PageUp - which also played down the the likelihood that data was exfiltrated when unauthorised entry to parts of its systems took place.

“PageUp had to notify the UK market because their requirements are very tight - within 72 hours of a suspicion,” McGibbon said.

“[Australia's] requirements aren’t as compulsive in the early stages [of an incident]."

He said that having to report in the UK - as it has the "most onerous" laws - was “detrimental to PageUp”.

"PageUp in a sense was victimised by having to report to the UK market on a matter, and then if they hadn’t reported in Australia at the same time then the allegation people would make is ‘you held back’, ‘you waited months’ because that’s how long you could do in Australia if you’re investigating activity before you came out," he said.

“Because of that they came out to the market earlier than logically they should have because if they had had more time they could have said there’s no evidence data has been exfiltrated.”

Customers suspended their use of PageUp, particularly to underpin online recruitment sites, immediately following the disclosure of the incident over fears a large amount of data was compromised.

PageUp People is yet to definitively say whether it was breached, but has indicated that “on the balance of probabilities” some data was accessed by an unknown attacker.

The Australian Cyber Security Centre (ACSC), the Office of the Australian Information Commissioner and IDCARE said last week that there is nothing to suggest that any “information may actually have been stolen”.

Today, MacGibbon doubled down on this position, which he characterised as “someone breaking into the house, but not necessarily leaving with what they broke in to steal”.

“I’m at pains to say there’s a difference between a person gaining access to data and a person exfiltrating data,” he said.

“I have no doubt that someone got into the PageUp systems, but I’m not convinced necessarily that any data was stolen.”

“The reaction of the market, however, was different and to me lacks maturity.”