PageUp 'victimised' by disclosure laws: MacGibbon

By on
PageUp 'victimised' by disclosure laws: MacGibbon
Alastair MacGibbon.

Not enough time to properly assess security incident.

Australia’s national cyber security adviser has blamed a “conflict of laws” for forcing PageUp People to disclose last month’s malware infection before it could properly assess the damage caused.

Alastair MacGibbon told CEDA’s state of the nation conference in Canberra today that premature disclosure of the incident led to the Australian recruitment cloud service provider being “in a sense ... victimised”.

MacGibbon went beyond comments he made last week in support of PageUp - which also played down the the likelihood that data was exfiltrated when unauthorised entry to parts of its systems took place.

“PageUp had to notify the UK market because their requirements are very tight - within 72 hours of a suspicion,” McGibbon said.

“[Australia's] requirements aren’t as compulsive in the early stages [of an incident]."

He said that having to report in the UK - as it has the "most onerous" laws - was “detrimental to PageUp”.

"PageUp in a sense was victimised by having to report to the UK market on a matter, and then if they hadn’t reported in Australia at the same time then the allegation people would make is ‘you held back’, ‘you waited months’ because that’s how long you could do in Australia if you’re investigating activity before you came out," he said.

“Because of that they came out to the market earlier than logically they should have because if they had had more time they could have said there’s no evidence data has been exfiltrated.”

Customers suspended their use of PageUp, particularly to underpin online recruitment sites, immediately following the disclosure of the incident over fears a large amount of data was compromised.

PageUp People is yet to definitively say whether it was breached, but has indicated that “on the balance of probabilities” some data was accessed by an unknown attacker.

The Australian Cyber Security Centre (ACSC), the Office of the Australian Information Commissioner and IDCARE said last week that there is nothing to suggest that any “information may actually have been stolen”.

Today, MacGibbon doubled down on this position, which he characterised as “someone breaking into the house, but not necessarily leaving with what they broke in to steal”.

“I’m at pains to say there’s a difference between a person gaining access to data and a person exfiltrating data,” he said.

“I have no doubt that someone got into the PageUp systems, but I’m not convinced necessarily that any data was stolen.”

“The reaction of the market, however, was different and to me lacks maturity.”

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
data incident malware pageup people security

Most Read Articles

Telstra sets $65 a month as minimum spend to get 5G access

Telstra sets $65 a month as minimum spend to get 5G access
Woolworths pays record $1m fine for spamming customers

Woolworths pays record $1m fine for spamming customers
Siemens chases Telstra customers over alleged cracked software use

Siemens chases Telstra customers over alleged cracked software use
Australia Post to expand its network transformation

Australia Post to expand its network transformation
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Get IT, finance and business on the same page
Get IT, finance and business on the same page
Why is DevSecOps important to your business?
Why is DevSecOps important to your business?
Architecting Hybrid IT & Edge for Digital Advantage
Architecting Hybrid IT & Edge for Digital Advantage
Organizations Increasing Their Adoption of NFV
Organizations Increasing Their Adoption of NFV
Modernise IT by Reducing Your Reliance on AD
Modernise IT by Reducing Your Reliance on AD

Events

Log In

Username / Email:
Password:
  |  Forgot your password?