A security breach at one of the world's largest human resources providers, Australian company PageUp, has resulted in tens of companies that were using their services notifying employees and applicants today that their personal data might have been stolen last month.
In a statement about the incident published today, PageUp said the breach occurred due to a malware infection on one of its IT systems. The company discovered the malware on May 23 and launched a forensic investigation into the issue.
"On May 28, 2018, our investigations revealed that we have some indicators that client data may have been compromised," PageUp said today.
PageUp is an Australian company that provides HR, careers, and recruitment services across the world. Customers who sign up with PageUp can embed a custom IT solution on their public "career sites" and intranets that helps them publish job openings, receive applicant CVs, and select the appropriate candidates.
Data submitted by job applicants is stored on PageUp's cloud infrastructure, and HR staffers at each company can access it via customized dashboards.
All in all, PageUp's solution is quite popular with HR departments across the world. The company touts hundreds of customers, ranging from US universities to government departments, and from supermarket chains to the world's largest banks.
All of these customers have now been notified of the PageUp breach, and each of them is now notifying their own employees and job applicants of the security incident.
It's because of the PageUp breach that the internet is abuzz today with a flurry of breach notifications that have been sent out by PageUp's clients.
Internet service provider Telstra; the Tasmanian Government, supermarket chains Kmart, Target, and Coles; the Australian Broadcasting Corporation (ABC) TV station; the Australia Post newspaper; healthcare provider Medibank; the Reserve Bank of Australia; and many other more, have published breach notifications, shut down career portals, or removed PageUp integrations from their job listing pages.
PageUp was unable to say what data the malware was able to steal from is systems and from which of its customers. The HR company said each customer stored different data, but that its investigation is still in its early stages to know what exactly had been compromised from each client's database.
Even if it has limited details about the incident and the stolen data, PageUp went public today with its breach notification because of new privacy laws such as the EU's GDPR and Australia's Privacy Act Notifiable Data Breaches (NDB) scheme (which came into effect on February 22, 2018).
These laws force companies to alert customers of breaches as soon as they learn of them so that users can take protective measures. While the breach notifications appear mainly on the websites of Australian companies and Australian branches of foreign companies, the breach might also impact users located in other countries that have applied for jobs through a PageUp-powered careers portal. PageUp promised to publish more updates about what the attackers manage to steal via the malware on an official incident FAQ page.
"The malware has been eradicated from our systems and we have confirmed that our anti-malware signatures can now detect the malware," PageUp said today.
The HR company also said that it is currently working with law enforcement and a third-party security firm to dig through the forensic data and the determine the breach's scope.
"All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password," PageUp recommended.