Unauthorised Activity on IT System

Facebook LinkedIn Messenger Email

Information Update 21st November 2018

Forensic Expert confirms no specific evidence of data taken in PageUp security incident

A detailed forensic investigation on the PageUp security incident in May this year has concluded that while an attacker was successful in installing tools that could exfiltrate data, no specific evidence was found that data was exfiltrated. We thank you for your patience as we worked through this process.

The investigation was conducted by expert forensic analysts Klein & Co. who collected and analysed all available digital forensic evidence related to the incident.

Information Update 19 June 2018

The Australian Cyber Security Centre (ACSC), the Office of the Australian Information Commissioner (OAIC) and IDCARE have released a joint statement. Read the statement here.

Information Update 17 June 2018

In our FAQs listed below, we have updated the question – “What data was obtained through this incident?”
Edited 18 June 2018 to clarify information pertaining to incorrect failed passwords.

FAQs

Are PageUp systems safe to use?

Cybersecurity experts have confirmed they have not identified any further threats on our systems and PageUp is safe to use. Further security measures have been implemented to help guard against any similar incident in the future.

What has happened?

Forensic investigations have confirmed that an unauthorised person gained access to PageUp systems.

Although the incident has been contained and PageUp is safe to use, we sincerely regret some data may be at risk.

What data was obtained through this incident?

Forensic experts have identified that compromised data may be the following:

Employees/former employees of PageUp clients
Some personal data for employees who currently or previously had access to the client’s PageUp instance may be affected. This includes employee contact information (including name, email address, physical address, and telephone number) and employment information (including employment status, company and title, and whether they were the registered contact for communications from PageUp). For those employees who currently or previously had access to a client’s PageUp instance, current password data is protected using the robust password hashing algorithm, bcrypt, which includes salts, and therefore is considered to be of very low risk to individuals. A small number of PageUp error logs from before 2007 may have contained incorrect failed passwords in clear text. Because failed passwords can be similar to correct passwords, if employees have not changed their password information since 2007, it would be prudent to do this now and anywhere where they may have used the same password.

PageUp client job applicants

• Contact details including name, email address, physical address, and telephone number
• Biographical details including gender, date of birth, and middle name (if applicable), nationality, and whether the applicant was a local resident at the time of the application
• Employment details at the time of the application, including employment status, company and title. If the application was submitted for a reference check, then the following additional details may have been provided by the reference: technical skills, special skills, team size, length of tenure with company, reason for leaving that position (if applicable), and the length of relationship between the applicant and reference.

Password data for applicants was protected using industry best practice techniques, including hashing and salting and therefore evaluated as a very low risk.

PageUp client job references
For references who were included with an applicant’s information, contact information (including name, email address, physical address, and telephone number) and employment information at the time the reference was provided (including company, title, and the length of the relationship with the applicant) are affected.

Agency
Non-personal data affected includes publicly available job information, system communications and approval requests related to postings and system information related to service level integrations. Client’s agency contact’s login details, including name, email address, physical address, and telephone number are among those potentially affected. Username and passwords to log in to a client’s instance of PageUp are protected using the robust password hashing algorithm, bcrypt, which includes salts. Therefore, the risk of harm relating to your agency contact usernames and passwords is low.

Information we believe is not affected
Importantly, we are confident that the most critical data categories including resumes, financial information, Australian tax file numbers, employee performance reports and employment contracts are not affected in this incident. No data contained in our New Starter Forms, Onboarding, Performance, Learning, Compensation or Succession Modules was affected.

How are you responding?

We have retained one of Australia’s leading cybersecurity firms to evaluate our systems and identify improvements based on the evolving landscape.

We have been and continue to work with international law enforcement, government authorities and independent security experts.

We take privacy very seriously and are doing everything in our power to make our systems – and most importantly the data we hold – more secure, now and for the long-term.

What should I do if I think my data may have been accessed?

If you are concerned your data may have been accessed by an unauthorised party, we advise you perform the following good security practices:

• Change your passwords on other online services, if you re-use the same password
• Enable multi-factor authentication and other available security measures provided by your other online services
• Be aware of potential phishing emails and telephone calls from businesses or institutions requesting your personal details. Avoid opening attachments from unknown senders via email or social media
• Install anti-virus software and keep it updated
• Apply all recommended software patches from operating system and software providers.

Have you told any regulatory organisations about the incident?

We have informed the UK Information Commissioner’s Office (ICO) in line with our obligations for PageUp People’s own staff data where we are a data controller.

We have also notified the Australian Cyber Security Centre (ACSC) and engaged with Australia’s Computer Emergency Response Team (CERT). The Australian Federal Police have been notified.

We have also liaised with the Office of the Australian Information Commissioner (OAIC) and will continue to do so with other regulatory bodies as appropriate.

Who has been assisting with this investigation?

We have engaged independent IT and forensic security experts who are working alongside our internal IT Security Team. The Australian Cyber Security Centre, Australian Federal Police and multiple independent expert cyber security firms continue to work with us to address the incident.

Where should I go for more information?

Applicants and employees with specific concerns should contact the company they lodged their application with.

For general information about how you can you protect your data privacy, visit the Australian Competition and Consumer Commission website at www.scamwatch.gov.au. Individuals can contact us regarding this incident on: security-enquiries@pageuppeople.com

Customers have received ongoing communications. If customers have any additional questions or concerns that may not have been answered in our communications, please don’t hesitate to contact pageup-security@pageuppeople.com

Media can refer to our press release.

Information Update 12 June 2018

To our valued customers and users:

As you may have heard, we are currently investigating a security incident where unauthorised person(s) accessed our system. We now know a bit more information that we can share about this incident.

Overview:

• We have been investigating a security incident where unauthorised person(s) accessed our system.
• Cybersecurity experts investigating have confirmed they have not identified any further threats on our systems. PageUp is safe to use.
• We have some information to share about the data that may have been accessed as a result of the incident.

Ongoing investigation

While investigations continue, on the balance of probabilities, we believe certain personal data relating to our clients, placement agencies, applicants, references and our employees has been accessed.

We continue to run forensic analysis, but based on our current information we believe data may include names, street addresses, email addresses, and telephone numbers. Some employee usernames and passwords may have been accessed, however current password data is protected using industry best practice techniques including hashing and salting and therefore is considered to be of very low risk to individuals. No employment contracts, applicant resumes, Australian tax file numbers, credit card information or bank account information were affected. No data contained in our New Starter Forms, Onboarding, Performance, Learning, Compensation or Succession Modules was affected.

Response

The Australian Cyber Security Centre, Australian Federal Police and multiple independent expert cyber security firms continue to work with us to address the incident.

We take privacy very seriously and are doing everything in our power to make our systems and security processes – and most importantly the data we hold – more secure, now and for the long-term. We sincerely apologise to our clients, applicants and employees who may be affected by this incident.

Anyone who believes their data may have been affected can email: security-enquiries@pageuppeople.com

Going forward

The investigation is ongoing. We have confirmed that the threat on our systems has been contained and eradicated. You can continue to use the PageUp system.

We again sincerely apologise to our clients, applicants and employees for the concerns this incident has raised. We take privacy extremely seriously and are doing everything in our power to strengthen our systems and security processes.

We continue to work around the clock with leading advisors around the globe to further our, and your, understanding.

We look forward to enabling customers, employees and job seekers to return to business as usual.

FAQs

Are PageUp systems safe to use?

Cybersecurity experts have confirmed they have not identified any further threats on our systems and PageUp is safe to use. Further security measures have been implemented to help guard against any similar incident in the future.

What has happened?

Forensic investigations have confirmed that an unauthorised person gained access to PageUp systems.

Although the incident has been contained and PageUp is safe to use, we sincerely regret some data may be at risk.

What data was obtained through this incident?

Forensic experts have identified that compromised data may include names, street addresses, email addresses, and telephone numbers.

Importantly, we are confident that the most critical data categories including resumes, financial information, Australian tax file numbers, employee performance reports and employment contracts are not affected in this incident. No data contained in our New Starter Forms, Onboarding, Performance, Learning, Compensation or Succession Modules was affected.

What about passwords?

Some employee usernames and passwords may have been accessed but are protected using industry best practice techniques, including hashing and salting and are therefore evaluated as a very low risk.

How are you responding?

We have retained one of Australia’s leading cybersecurity firms to evaluate our systems and identify improvements based on the evolving landscape.

We have been and continue to work with international law enforcement, government authorities and independent security experts.

We take privacy very seriously and are doing everything in our power to make our systems – and most importantly the data we hold – more secure, now and for the long-term.

What should I do if I think my data may have been accessed?

If you are concerned your data may have been accessed by an unauthorised party, we advise you perform the following good security practices:

• Change your passwords on other online services, if you re-use the same password
• Enable multi-factor authentication and other available security measures provided by your other online services
• Be aware of potential phishing emails and telephone calls from businesses or institutions requesting your personal details. Avoid opening attachments from unknown senders via email or social media
• Install anti-virus software and keep it updated
• Apply all recommended software patches from operating system and software providers.

Have you told any regulatory organisations about the incident?

We have informed the UK Information Commissioner’s Office (ICO) in line with our obligations for PageUp People’s own staff data where we are a data controller.

We have also notified the Australian Cyber Security Centre (ACSC) and engaged with Australia’s Computer Emergency Response Team (CERT). The Australian Federal Police have been notified.

We have also liaised with the Office of the Australian Information Commissioner (OAIC) and will continue to do so with other regulatory bodies as appropriate.

Who has been assisting with this investigation?

We have engaged independent IT and forensic security experts who are working alongside our internal IT Security Team. The Australian Cyber Security Centre, Australian Federal Police and multiple independent expert cyber security firms continue to work with us to address the incident.

Where should I go for more information?

Applicants and employees with specific concerns should contact the company they lodged their application with.

For general information about how you can you protect your data privacy, visit the Australian Competition and Consumer Commission website at www.scamwatch.gov.au. Individuals can contact us regarding this incident on: security-enquiries@pageuppeople.com

Customers have received ongoing communications. If customers have any additional questions or concerns that may not have been answered in our communications, please don’t hesitate to contact pageup-security@pageuppeople.com

Media can refer to our press release.

Finally,

We again sincerely apologise to our clients, applicants and employees for the concerns and inconveniences this incident has raised.

Karen Cariss
CEO and Co-Founder

Information update 5 June 2018

As part of our commitment to keeping our global community of users and partners informed, we wish to advise you of unauthorised activity discovered on the PageUp system.

On May 23, 2018, PageUp detected unusual activity on its IT infrastructure and immediately launched a forensic investigation. On May 28, 2018 our investigations revealed that we have some indicators that client data may have been compromised, a forensic investigation with assistance from an independent 3rd party is currently ongoing.

We take cyber security very seriously and have been working together with international law enforcement, government authorities and independent security experts to fully investigate the matter.

There is no evidence that there is still an active threat, and the jobs website can continue to be used. All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password.

We apologise for any concerns and inconvenience this incident has caused and have developed the below FAQs to help address any queries the community may have. These FAQs will be updated as any new information arises, and should serve as the central destination for updates about this matter. Thank you.

Karen Cariss
CEO and Co-Founder