Hack exposed personal data of job candidates at Australia’s top companies

  • Careers sites and important recruitment channels of some of Australia’s biggest companies have been shut by a hack into the system of a supplier, PageUp.
  • The hack affected a huge number of partner companies including the RBA, major banks, law firms, and government departments, putting at risk the personal details of thousands, and perhaps, tens of thousands of people.
  • The information includes names, street addresses, email addresses, telephone numbers, gender, and dates of birth of people who applied for jobs online.

A who’s who of corporate Australia and government agencies have been affected by an IT security breach at PageUp, a human resources company running recruitment applications for other firms, which has put the personal records of thousands — perhaps tens of thousands — of people at risk.

The data breach has effectively shut or slowed recruitment at some of Australia’s biggest companies and government departments, with many switching to manual processes and moving listings of roles from their own websites to LinkedIn and Seek.

The personal information made vulnerable includes files held on behalf of Australia’s Treasury Department, the federal Attorney General’s Department, the RBA, lawyers Maurice Blackburn, national broadcaster the ABC, the biggest telco, Telstra, the Commonwealth Bank, the NAB, Macquarie Group, Australia Post, Medibank, shopping centre operator Scentre, and some divisions at Australia’s biggest private employer Wesfarmers including Coles.

PageUp’s full client roster hasn’t been released, so there is no way to say how many companies are affected. The above list can only be compiled because the above entities have either announced it on their careers site or sent emails to those affected. Many of them are urging previous applicants to update their passwords and check for any suspicious activity on their accounts.

PageUp was contacted for comment. The company did not have an answer to the question: How many applicants details were put at risk?

Since the security breach became public, PageUp has been careful in the language it has used, saying that it couldn’t be sure that the information that was exposed in the breach had been extracted from its website.

PageUp, a $30 million turnover company started in Melbourne 20 years ago, says no employment contracts, resumes, tax file numbers, credit card information or bank account details were affected.

Job applicant details

But much of the data exposed would be a useful first step in stealing identities, including names, street addresses, email addresses, telephone numbers, gender, and the all-important date of birth.

These are the details job applicants entered into PageUp’s system for roles at its client organisations. The details of any referees, and their contact information, also were exposed.

And there’s a possibility that passwords, or their near equivalents, used by people applying for jobs might have been seen.

However, experts say identity thieves typically need more solid personal documents such as a drivers licence number or passport details.

The breach apparently occurred during a coordinated attack in late May on PageUp’s IT systems in Australia, Singapore and the UK. PageUp notified customers on June 1 and, in line with the new Notifiable Data Breaches scheme, the company notified the Office of the Australian Information Commissioner.

PageUp says it is working with international law enforcement, government authorities and independent security experts, including the Australian Cyber Security Centre and Australian Federal Police.

“We take privacy very seriously and are doing everything in our power to make our systems and security processes – and most importantly the data we hold – more secure, now and for the long-term. We sincerely apologise to our clients, applicants and employees who may be affected by this incident,” says CEO and Founder Karen Cariss.

Alastair MacGibbon, head of the Australian Cyber Security Centre and National Cyber Security Adviser said in an update last week that PageUp had shown “a commendable level of transparency” in their response, noting that they “came forward quickly and engaged openly with affected organisations.”

A month after the hack, the situation is unclear and many of PageUp’s customers — a long list of Australia’s biggest companies — still don’t have fully functioning recruitment sites. Many have switched to SEEK and to LinkedIn as a way to get job applicants.


The Australian Cyber Security Centre (ACSC), a federal government agency, is careful to make a distinction between a security breach and the wholesale downloading of data.

“While recognising that investigations are ongoing and that the situation may therefore change, the ACSC emphasises that there is a significant distinction between information being accessed (which means there has been a systems breach) and information being exfiltrated (withdrawn) by the offender,” it says. “In other words, no Australian information may actually have been stolen.”

Dave Lacey, Managing Director, IDCARE, Australia’s expert community identity and cyber support service, says the risks from the PageUp hack include the possibility of phishing emails, telephone scam calls, and specific risks to individuals concerned about their contact information, physical address, and employment details becoming known to third parties.

“Based on investigations undertaken to date by PageUp, at this point IDCARE assesses that the direct risk of identity theft is unlikely,” he says.

“Identity thieves typically require other forms of personal information to successfully manipulate this type of data, such as driver licence, passport, and account details, in order to obtain credit in a person’s name or related acts of impersonation.”

However, the hack effectively shut the careers sites of major companies.

Don’t apply here

In a typical response, the RBA’s careers page currently states:

The Reserve Bank of Australia has suspended links to PageUp People from its careers page following advice from PageUp People that there has been unauthorised activity on its global IT system.

The RBA recommends that any person who has applied online for a position with the RBA consider taking steps to secure their personal information and maintain a close watch on the use of their information to ensure that there has been no recent unusual activity. Personal information of any referees provided in an application may also be at risk. Please note that we are not currently aware that the unauthorised activity at PageUp People has resulted in any fraudulent use of any RBA applicant’s or referees personal data.

National Australia Bank (NAB), in disclosing its exposure, said: “When notified, NAB took the immediate action to suspend our Job Portal for further recruitment – and remains unavailable.” NAB later resumed limited processes to complete recruitment for positions already underway but the portal is still closed.

The Commonwealth Bank, on its careers site, says: “At this stage, we have still not turned PageUp back on. We’ll be running a manual recruitment process for a small number of roles in the interim. Please check Seek and LinkedIn for any vacancies.”

Macquarie Group is advising job applications to go to Seek or LinkedIn to apply or send an email to their listed careers email address.

Health insurer Medibank says: “The Page Up online recruitment system we use is currently unavailable due to a system breach.”

This week major companies are still emailing people who’d applied for jobs in the past, warning them of the data breach.

Here’s part of an email sent by the NAB: “PageUp People are still investigating this incident; at this point in time, they have not confirmed whether the data of any people who have applied for jobs at NAB has been affected.

“However, as there is a risk this might have occurred, we felt it important to inform you of this incident as you have applied for or been identified as a potential candidate for a role within the NAB Group.”

An email from Telstra outlined the personal information which, in most cases, could have been accessed: the applicant’s name, street address, phone number, application history and email address.

For those whose actually got a job at Telstra, the data at risk is extensive:

    Date of birth;
    Employment offer details;
    Employee number (if a current or previous employee);
    Pre-employment check outcomes;
    Referee details.

Telstra, in its email, says: “We are taking all necessary action to protect the security of the services provided by the vendor, including asking PageUp to reset all passwords. We are also engaging government bodies, privacy and information security experts across the industry to examine PageUp’s findings on receipt and to further understand how we can help anyone who may have been impacted.”

The telco also says it’s been told that “critical data”, including resumes, ID documents and employment contracts, are not affected in this incident.

Maurice Blackburn, the law firm, also sent an email.

“We have been advised that some personal data for job applicants, placement agencies and employees who applied for positions through the PageUp system may be affected,” the firm says.

Data accessed may have included names, street addresses, email addresses and telephone numbers. Again, Maurice Blackburn repeats the same information that there is no evidence of “exfiltration”, only access to the information.

“We do recommend that any person who has applied online for a position with Maurice Blackburn check to ensure that there has been no recent unusual activity concerning their personal information and to monitor the use of their personal information,” the firm says.

In Canberra, the federal Treasury, the Attorney General’s department, the Department of Industry, Innovation and Science had all outsourced part of their recruitment application process to PageUp.

“We are aware of the data security breach and are in close contact with the Australian Cyber Security Centre and PageUp as they conduct a forensic analysis in relation to the breach,” says the Attorney General’s department.

The department says that to limit potential risks to personal information people should:

  • change your password on other online services, if you re-use the same password
  • enable multi-factor authentication and other available security measures provided by your other online services
  • be aware of potential phishing emails and telephone calls from businesses or institutions requesting your personal details
  • avoid opening attachments from unknown senders via email or social media
  • install anti-virus software and keep it updated, and
  • apply all recommended software patches from operating system and software providers.

The Department of Industry, Innovation and Science recommends those who have used its online recruitment system from March 2016 check that there has been no unusual activity concerning their personal information.