PageUp 'victimised' by disclosure laws: MacGibbon

By on
PageUp 'victimised' by disclosure laws: MacGibbon
Alastair MacGibbon.

Not enough time to properly assess security incident.

Australia’s national cyber security adviser has blamed a “conflict of laws” for forcing PageUp People to disclose last month’s malware infection before it could properly assess the damage caused.

Alastair MacGibbon told CEDA’s state of the nation conference in Canberra today that premature disclosure of the incident led to the Australian recruitment cloud service provider being “in a sense ... victimised”.

MacGibbon went beyond comments he made last week in support of PageUp - which also played down the the likelihood that data was exfiltrated when unauthorised entry to parts of its systems took place.

“PageUp had to notify the UK market because their requirements are very tight - within 72 hours of a suspicion,” McGibbon said.

“[Australia's] requirements aren’t as compulsive in the early stages [of an incident]."

He said that having to report in the UK - as it has the "most onerous" laws - was “detrimental to PageUp”.

"PageUp in a sense was victimised by having to report to the UK market on a matter, and then if they hadn’t reported in Australia at the same time then the allegation people would make is ‘you held back’, ‘you waited months’ because that’s how long you could do in Australia if you’re investigating activity before you came out," he said.

“Because of that they came out to the market earlier than logically they should have because if they had had more time they could have said there’s no evidence data has been exfiltrated.”

Customers suspended their use of PageUp, particularly to underpin online recruitment sites, immediately following the disclosure of the incident over fears a large amount of data was compromised.

PageUp People is yet to definitively say whether it was breached, but has indicated that “on the balance of probabilities” some data was accessed by an unknown attacker.

The Australian Cyber Security Centre (ACSC), the Office of the Australian Information Commissioner and IDCARE said last week that there is nothing to suggest that any “information may actually have been stolen”.

Today, MacGibbon doubled down on this position, which he characterised as “someone breaking into the house, but not necessarily leaving with what they broke in to steal”.

“I’m at pains to say there’s a difference between a person gaining access to data and a person exfiltrating data,” he said.

“I have no doubt that someone got into the PageUp systems, but I’m not convinced necessarily that any data was stolen.”

“The reaction of the market, however, was different and to me lacks maturity.”

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
data incident malware pageup people security
In Partnership With

Most Read Articles

ASD returns fire over Microsoft removal claims

ASD returns fire over Microsoft removal claims
TPG joins Telstra in showing NBN fixed wireless speeds

TPG joins Telstra in showing NBN fixed wireless speeds
Service NSW turfs Windows OS for Chrome

Service NSW turfs Windows OS for Chrome
NBN speed standards emerge at top tiers

NBN speed standards emerge at top tiers
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Managed Security Service Providers for Dummies
Managed Security Service Providers for Dummies
The Cost of Cloud Expertise report
The Cost of Cloud Expertise report
The business case for hyperconvergence
The business case for hyperconvergence
What Every CIO Should Know about DevOps & Container Guides by Puppet
What Every CIO Should Know about DevOps & Container Guides by Puppet
The 5G Business Potential – Industry digitalisation and the untapped opportunities for operators
The 5G Business Potential – Industry digitalisation and the untapped opportunities for operators

Events

Log In

Username / Email:
Password:
  |  Forgot your password?