Judging how many Australian job seekers and companies are affected by a data breach in May at PageUp, a recruitment services platform holding confidential job applications, is difficult.
The Melbourne-based recruitment platform provider and the Office of the Australian Information Commissioner, to which the incident had to be reported under the new Notifiable Data Breaches regime, have both refused to provide even aggregated data to show how may have had their private information put at risk.
However, information from the Tasmanian Government, and estimates of the known companies affected, indicates that hundreds of thousands people now have at risk the confidential information they submitted when applying for jobs.
Exact numbers are not know but here is an incomplete list of companies and government departments whose data has been put at risk and whose recruitment has been disrupted by the hack:
Suncorp says: “We have shut down the link to this site as a precautionary measure.”
Logistics giant Linfox is directing job seekers to Seek.com.au. “We recommend that any person who has applied online for a position with Linfox over the last 3 months check to ensure that there has not been any unusual activity concerning their personal information,” the company says.
Department store David Jones uses PageUp. Its careers section on its website appears to be operating as normal. There is no obvious notice about the hack.
Gold miner Newcrest Mining Limited says it has has disabled the use of PageUp. “Newcrest is continuing to advertise opportunities at Seek during this time,” the company says.
Power company Alinta Energy has started using PageUp again. “Following public assurances from PageUp that it is safe to use their services and the abovementioned security matters, Alinta has recommenced use of PageUp. Alinta will continue to monitor the situation and liaise with PageUp,” the company says.
Rail freight company Aurizon is using the platform: “Aurizon is continuing to use PageUp for online recruitment following advice from PageUp that cybersecurity experts confirmed they had not identified any further threats on PageUp systems and that PageUp is safe to use. Further security measures have been implemented to help guard against any similar incident in the future.”
National broadcaster the ABC is again accepting job applications online. “PageUp has now confirmed that their systems are once again secure and safe to use and accordingly, we have reopened connections with PageUp and have recommenced accepting applications online<" the ABC says. Global mining group AngloAmerican has disabled its Apply Now button, telling those interested to email instead. “As a precaution, we have disabled the PageUp application system so you will not be able to directly apply for jobs or log into your existing accounts,” the company says.
ALDI Australia is using Seek for new job applicants. “Based on reported PageUp data breaches, ALDI has suspended all connections with PageUp’s systems as a precautionary measure,” the discount supermarket chain says. “We are actively working with PageUp to seek further details to understand if any ALDI specific recruitment information has been impacted.”
Jetstar had switched to another provider just before the hack occurred. The airline says it doesn’t yet know if any personal information from Jetstar applicants shared through PageUp was accessed by an unauthorised user. “Jetstar’s Careers website in Australia continues to operate as normal and can receive applications as this site now uses the technology provider, Workday,” the airline says.
Queensland Rail, which has 5,800 employees, says: “As a precaution Queensland Rail has reset all candidate passwords and will be suspending connection to the service (PageUp).”
Programmed, a maintenance and facilities management company with 20,000 employees, says security measures have been implemented to guard against similar incidents. “Programmed will shortly recommence using PageUp to process recruitment advertising, job applications and offers,” the company says.
The NAB‘s Job Portal remains suspended. However, the bank says: “We have resumed limited Job Centre processes, to complete recruitment for positions already underway.”
The ANU has no obvious notice on its website about PageUp. However, in a statement, the university said: “PageUp has been unable to confirm if ANU-held data was accessed. As a precaution, ANU advised their users and community of the potential unauthorised access as soon as we were provided with sufficient information from PageUp. ANU takes data security very seriously and is continuing to seek further information from PageUp about the extent of any impact.”
The Treasury Department is now displaying current vacancies. “The HR information system Treasury uses for recruitment, PageUp, has been the subject of a system breach resulting in unauthorised access to data stored on PageUp systems, including personal data provided by candidates through recruitment processes,” says Treasury. “Advice from the Australian Cyber Security Centre, PageUp and third party cyber security experts engaged to investigate the incident is that the incident has been contained on PageUp systems and that PageUp is safe to use.”
The Federal Attorney General’s Department is displaying current vacancies online. “As a precaution, we advise anyone who has an account on this department’s recruitment system to change their password,” the department says. “We have received advice from PageUp that the incident has been contained and the malware threat eradicated.”
The Reserve Bank of Australia refers job hunters to an email. “The Reserve Bank of Australia has suspended links to PageUp People from its careers page following advice from PageUp People that there has been unauthorised activity on its global IT system,” it says.
Law firm Maurice Blackburn is directing job hunters to Seek. “Maurice Blackburn takes data security very seriously and as a precautionary measure all access points between Maurice Blackburn and PageUp remain suspended, whilst we continue to seek further information on the measures taken to prevent this issue in the future,” it says.
Telstra‘s online recruitment system is currently unavailable. “We have held discussions with PageUp to understand any possible impact to the security of the services they provide,” says Australia’s largest telco with 32,000 employees. “They have advised us that their investigation is continuing and while this is occurring we have suspended our use of their services. This includes all current recruitment activity that has not been progressed past a written offer being placed on hold.”
Commonwealth Bank is sending candidates to its listings on Seek and LinkedIn. “At this stage, we have still not turned PageUp back on. We’ll be running a manual recruitment process for a small number of roles in the interim,” the bank says.
Macquarie Group is directing job hunters to LinkedIn. “Macquarie takes information security and privacy very seriously and as a precautionary measure we have suspended our use of PageUp’s services at this time,” it says.
Australia Post, with 50,000 employees, immediately stopped using PageUp’s systems to process job applications. “We’ve informed our employees and relevant applicants, and provided links on steps they can take to protect their personal information,” Australia Post says.
Medibank, Australia’s biggest health insurer with 2900 employees, advises job seekers to check Seek, Indeed and LinkedIn. “The PageUp online recruitment system we use is currently unavailable due to a system breach,” it says.
Shopping centre operator Scentre says it has ceased managing candidate applications through PageUp’s system. The company recommends applying for a role via the email scentregroupcareers [at] scentregroup.com.
Supermarket chain Coles has cut links with PageUp. “Coles took the decision to sever all data links between Coles and PageUp and also stop all recruitment activities using the PageUp system,” it says.