As PageUp remediates its security breach, a reminder that times have changed
- 14 June, 2018 16:10
An extensive forensic investigation has given employment service provider PageUp the all-clear after an extensive forensic investigation into a breach that saw unauthorised access to names and contact details of job-seekers in Australia, Singapore, and the UK.
Tax file numbers, employment contracts, financial information, and other sensitive data were not lost in the breach, the company said in a statement in which CEO and co-founder Karen Cariss minimised the risk of password compromise due to the use of “industry best practice techniques” such as hashing and salting.
The breach, which was detected on 23 May and confirmed on 28 May, spawned public warnings that thousands of Australians’ personal details might have been stolen by unauthorised external parties. This threatened data related to job seekers of the firm’s Australian recruitment customers, according to the ABC, include Wesfarmers, NAB, Telstra, AGL, Australia Post, the ABC, and more.
PageUp claims over 2 million active users in 190 countries, and claims a 97 percent client retention rate for its human resources, recruitment, learning management and related solutions.
“On the balance of probabilities, we believe certain personal data relating to our clients, placement agencies, applicants, references and our employees has been accessed,” Cariss said.
PageUp was assisted by security consultancy HivInt to co-ordinate the response to the incident, the statement said, with Klein & Co engaged as forensic analysts to “collect evidence, reconstruct the incident to fully understand the impact, and provide ongoing network security monitoring”.
The Australian Cyber Security Centre (ACSC), Australian Federal Police, and Office of the Australian Information Commissioner (OAIC) – which released a statement about the breach – have all been liaising with the PageUp security team to manage the investigation.
PageUp’s compromise falls under the auspices of Australia’s new notifiable data breaches (NDB) scheme, which requires companies to notify affected individuals and the OAIC in the event that a data breach poses a likely risk of serious harm to those individuals.
Cybersecurity consultants were quick to highlight both the risk of the breach and its importance as a reminder of the implications of a breach that, in PageUp’s case, spans a wealth of jurisdictions covered by legislation including the European Union’s general data protection regulation (GDPR).
“The significance of this breach cannot be [overstated],” warned Forcepoint APAC director of sales engineering William Tam in a statement. “Given this is the first major breach to happen after the launch of the GDPR, it will be the first example of how action will be taken by the EU.”
“Organisations should see this as an insight into the future of how data breaches will be handled under new regulations, and use this as a wake-up call to improve their posture today, to avoid being tomorrow’s headline.”
Cylance ANZ country manager Jason Duerden took a stab at a security industry that, he said in a statement, “continues to perpetuate a false sense of security with traditional signature-based antivirus software and after-the-fact patches. Rather than blaming PageUp, we need to put accountability back on the security provider that claims to be protecting the company and its customers.”
“The truth is, we can do better: next-generation solutions using artificial intelligence and machine learning are able to proactively prevent breaches instead of simply mop up after the damage is already done. This breach should be another lesson to businesses to review and upgrade their endpoint security solutions, and to strive for prevention.”
While the breach may have been deemed contained, the long-term fallout for jobseekers of companies like David Jones, Myer, and Macquarie – which all pulled their PageUp presences after the breach was detected – remains to be seen.
The breach reflected the dangers facing corporations and individuals in a “boundaryless world”, Centrify senior director for APAC sales Niall King said in a statement. “Trust no longer provides protection, whether it’s of an employee or a third-party service provider.”
Trend Micro ANZ country director Ashley Watkins called the breach a reminder that “Australian organisations – no matter how big or small – are operating in a new era of cyber requirements. Historically many companies have taken a complacent approach to data security, but this is starting to change.”
“The unfortunate reality is that data breaches do happen, so it’s paramount that organisations pay close attention to their disclosure processes and prioritise transparency with their customers. It’s how organisations handle the breach from beginning to end that will have a lasting impact on customer trust and public perception.”
PageUp expects to finalise a third-party containment report, which will subsequently be shared at a private meeting of the Australian Cyber Security Centre and Joint Cyber Security Centre members.”