Catalin Cimpanu* says a security breach at Australian HR company PageUp has led to warnings to employees and job applicants that their personal data might have been stolen.
A security breach at one of the world’s largest human resources providers, Australian company PageUp, has resulted in tens of companies that were using their services notifying employees and applicants last week that their personal data might have been stolen last month.
In a statement about the incident published last week, PageUp said the breach occurred due to a malware infection on one of its IT systems.
The company discovered the malware on 23 May and launched a forensic investigation into the issue.
“On May 28, 2018, our investigations revealed that we have some indicators that client data may have been compromised,” PageUp said.
Breach trickled down to hundreds of companies
PageUp is an Australian company that provides HR, careers, and recruitment services across the world.
Customers who sign up with PageUp can embed a custom IT solution on their public “career sites” and intranets that helps them publish job openings, receive applicant CVs, and select the appropriate candidates.
Data submitted by job applicants is stored on PageUp’s cloud infrastructure, and HR staffers at each company can access it via customised dashboards.
All in all, PageUp’s solution is quite popular with HR departments across the world.
The company touts hundreds of customers, ranging from US universities to Government Departments, and from supermarket chains to the world’s largest banks.
All of these customers have now been notified of the PageUp breach, and each of them is now notifying their own employees and job applicants of the security incident.
The PageUp breach saw the internet come alive last week with a flurry of breach notifications sent out by PageUp’s clients.
Telstra, the Tasmanian Government, supermarket chains Kmart, Target, and Coles, the Australian Broadcasting Corporation (ABC), Australia Post, Medibank, the Reserve Bank of Australia and many others published breach notifications, shut down career portals, or removed PageUp integrations from their job listing pages.
PageUp doesn’t know what the malware was able to steal
PageUp was unable to say what data the malware was able to steal from its systems or from which of its customers.
The HR company said each customer stored different data, but that its investigation is still in its early stages.
Even if it has limited details about the incident and the stolen data, PageUp went public with its breach notification because of new privacy laws such as the EU’s GDPR and Australia’s Privacy Act Notifiable Data Breaches (NDB) scheme (which came into effect on 22 February 2018).
These laws force companies to alert customers of breaches as soon as they learn of them so that users can take protective measures.
While the breach notifications appear mainly on the websites of Australian companies and Australian branches of foreign companies, the breach might also impact users located in other countries that have applied for jobs through a PageUp-powered careers portal.
PageUp promised to publish more updates on an official incident FAQ page about what the attackers managed to steal via the malware.
Passwords should be safe, for now
“The malware has been eradicated from our systems and we have confirmed that our anti-malware signatures can now detect the malware,” PageUp said last week.
The HR company also said that it is currently working with law enforcement and a third-party security firm to dig through the forensic data and determine the breach’s scope.
“All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password,” PageUp recommended.
* Catalin Cimpanu is the Security News Editor for Bleeping Computer. He tweets at @campuscodi.
This article first appeared at www.bleepingcomputer.com.
