- Tasmania says 120,000 users of its state government job site are affected by the PageUp data breach.
- Both the company and the Office of the Australian Information Commissioner have so far refused to reveal how many companies or people have been affected by the hack.
- An incomplete list show ASX200 companies and large government departments are affected.
The PageUp hack, which has exposed recruitment records of major Australian companies, is now estimated to have affected hundreds of thousands of job seekers who made confidential online applications for jobs.
So far the company responsible, the Melbourne-based recruitment platform provider PageUp, and the Office of the Australian Information Commissioner, to which the incident had to be reported under the new Notifiable Data Breaches regime, have refused to provide even aggregated data to show how many companies and people have been affected.
However, information given to an estimates committee hearing in the Tasmanian Parliament shows that the 120,000 people who use that state government’s jobs site have been affected by the data breach.
Add this to a long list of some of Australia’s biggest companies, many of them ASX200 members, including the Commonwealth Bank and Australia’s largest private employer, Wesfarmers, plus a string of government departments such as the Reserve Bank and the Federal Treasury, and the list of job seekers affected easily runs into the hundreds of thousands.
Many companies have cut or suspended their links with PageUp, temporarily stopped recruitment, or have gone back to a manual system using email applications, or are directing job seekers to online portals such as LinkedIn or Seek. A few, on being told the breach has been fixed, have returned to PageUp.
The breach apparently occurred during a coordinated attack in late May on PageUp’s IT systems in Australia, Singapore and the UK. PageUp notified customers on June 1.
“While investigations continue, on the balance of probabilities, we believe certain personal data relating to our clients, placement agencies, applicants, references and our employees has been accessed,” PageUp says in its latest update.
But much of the data exposed would be a useful first step in stealing identities, including names, street addresses, email addresses, telephone numbers, gender, and the all-important date of birth.
However, experts say identity thieves typically need more solid personal documents such as a drivers licence number or passport details.
Tasmania is treating the data breach as an “incredibly serious matter,” says Premier Will Hodgman.
“As soon as the State Service became aware there was a risk to the security of that information, immediate steps were undertaken, including assessing the risk, expiring all user account passwords and ultimately suspending the connection with the PageUp system,” he told the state parliament’s estimates committee.
“The State Service has been leading collaborative discussions with other affected organisations on how to best respond to the incident and has been providing advice to interstate public sector agencies.
“Suspending the PageUp system led to a week’s interruption to advertising jobs. An interim solution has been developed in-house, which allowed us to start advertising vacancies from 15 June 2018. The interim solution is not connected to PageUp. It has been independently assessed for security.
“PageUp’s latest advice is that, on the balance possibilities, it is likely that the data has been accessed. Exactly what data and the degree of the impact is currently not yet known. However, any data that has been accessed is likely to be limited.”
Assessing the extent of the potential damage from the data breach is difficult because of a lack of information on how many companies and how many people have had their confidential data accessed.
However, PageUp has “a couple of hundred corporate customers including government”, according to Australian Cyber Security Centre Head, Alastair MacGibbon, who this week spoke at a CEDA (Committee for Economic development of Australia) event.
MacGibbon says Australia needs to learn from other people’s losses to try to reduce the likelihood of them happening again.
He also points out that there’s difference between a person gaining access to data and a person taking that data.
“I have no doubt that someone got into the PageUp systems but I’m not convinced necessarily that any data was stolen,” he says.
“.. someone breaking into a house but not necessarily leaving with what they broke in to steal is important for us to differentiate.”
The Australian Cyber Security Centre was a party to a joint statement, along with the Office of the Australian Information Commissioner and IDCARE, Australia’s expert community identity and cyber support service, about the PageUp data breach.
MacGibbon has praised PageUp.
He says: “PageUp has demonstrated a commendable level of transparency in how they’ve communicated about, and responded to, this incident: they came forward quickly and engaged openly with affected organisations.”
This “transparency” hasn’t extended yet to explaining how far the data breach problem extends into corporate Australia.
The companies affected can only be identified if they self-report to their users and go public. Many companies have also emailed their job sites users telling them of the breach.
Business Insider Emails & Alerts
Site highlights each day to your inbox.