Major Australian firms including Coles, Telstra, AusPost and Medibank have pulled their recruitment websites offline after the service provider supplying the technology for them said it may have been breached.
iTnews first reported that Melbourne-based cloud recruitment software provider, PageUp People, had experienced a malware infection that allowed an unknown party to gain unauthorised entry to some of its systems.
The disclosure has forced a number of large corporates and government agencies that rely on PageUp People to suspend recruitment while they await answers on what, if anything, was compromised.
So far, those to have pulled their careers websites down include:
- Australia Post
- Tasmanian Government
- University of Tasmania
- ALDI Australia
- Macquarie Group
- Scentre Group
- Commonwealth Bank
- Queensland Rail
Supermarket giant Coles said in an advisory that it “uses PageUp to manage job applications and candidate information”.
“We have suspended all connections between Coles’ systems and PageUp’s systems and stopped all available points of upload, while we obtain information from PageUp about the nature and extent of the security incident and possible data breach,” Coles said.
“We have asked for urgent responses from PageUp and are also conducting our own investigations.”
Coles said it was unaware of “any fraudulent activity relating to anyone’s data occurring as a result of the security breach” but warned anyone that had applied for a role in the last 18 months to “maintain a close watch on the use of their personal information”.
Medibank likewise suspended its own PageUp-powered recruitment site while the forensic investigation progresses.
“Medibank is working with PageUp to determine whether the personal information provided by Medibank job applicants and employees has been compromised,” it said.
The health insurer said that the amount of data potentially compromised could be far greater than PageUp’s own warnings.
In addition to usernames, passwords, and some personal details, Medibank warned that data such as Tax File Number, diversity and health information and “identity document details” could be at threat.
Telstra has pulled its own job search page offline and replaced it with a statement noting it has “held discussions with PageUp to understand any possible impact to the security of the services they provide.”
“They have advised us that their investigation is continuing and while this is occurring we have suspended our use of their services,” Telstra said.
“This includes all current recruitment activity that has not been progressed past a written offer being placed on hold.”
Telstra said it had offered cyber security support services to PageUp to help them with the forensics investigation and recovery.
The telco said it had further “engaged government bodies, privacy and information security experts across the industry to further understand how we can help people who may have been impacted.”
Australia Post said it had also withdrawn its jobs website.
“Although we started using PageUp for online recruitment in October 2016, the recruitment system started collecting more extensive personal information from May 2017,” it said.
“To be clear there is still no evidence that Australia Post Group job applicants’ data has been compromised.”
Banks, governments follow
National Australia Bank pulled its jobs site, saying simply that "the page is currently unavailable due to an issue with an external technology provider."
The Tasmanian government suspended its own central jobs website, noting that "PageUp has not yet been able to confirm whether any data related to the Government’s use of the system has been compromised."
"But as the protection of personal information is our top priority, we will not use the system until we are confident it is secure," it said.
The University of Tasmania is another to have pulled its careers website down.
"It is not yet clear if University of Tasmania data has been impacted by the breach, but we are asking people to respond as if it has," UTAS said.
ALDI Australia similarly replaced its own careers site with a statement confirming it "has suspended all connection with PageUp’s systems as a precautionary measure," it said.
The Australian Red Cross is another to disable its jobs site. "We have stopped using the PageUp recruitment system until we can be assured that the security of information held in that system can be guaranteed," it said.
"This does not affect the Red Cross Blood Service and the data security of its blood donors in any way."
Suncorp said it had shut down its PageUp-powered jobs site as a precautionary measure.
The Commonwealth Bank's careers site was simply emptied of ads, noting only that it is "powered by PageUp".
Queensland Rail's careers page was also stripped, though the site's URL said it was PageUp-powered.
ASX-listed contract workforce provider Programmed said it was "disappointed that this issue has occurred".
"Programmed has been using the PageUp system since 1 January 2006 to source and more recently on-board new hires," it said in an advisory.
"At this time we have no evidence of any Programmed applicant / employee data having been compromised or having been used in any unauthorised way.
"It is also important to note that Programmed’s actual payroll systems are independent of the PageUp system and they remain unaffected."
Retailer Target said it had "suspended all connections between Target’s systems and PageUp’s systems and stopped all available points of upload while we obtain information from PageUp about the nature and extent of the security issue."
Shopping centre operator Scentre Group said it had "immediately ceased managing our candidate applications through PageUp's system."
Macquarie Group said it had also "suspended the functionality of our careers pages at this time" due to the PageUp warning.
Jetstar said that applications to its careers website "prior to 24 May 2018 were made using PageUp’s recruitment technology". However, it has recently started using a rival solution from Workday instead.