The Australian Attorney-General's Department (AGD) has confirmed that some of its staff may have had their information compromised at the hands of HR software provider PageUp, after the company earlier this week admitted some data held on its clients may be at risk.
As first reported by SBS News, AGD's recruitment team sent an email to job applicants informing them it was "possible that some of your personal details which were held in PageUp's systems may have been accessed by an unauthorised person and possibly disclosed to others".
"Our department has a contractual relationship with PageUp in respect of particular recruitment services," AGD wrote in a statement.
"We are aware of the data security breach and are in close contact with the Australian Cyber Security Centre and PageUp as they conduct a forensic analysis in relation to the breach."
PageUp confirmed some data may have been compromised, after revealing earlier this month it had fallen victim to a malware attack.
"Forensic investigations have confirmed that an unauthorised person gained access to PageUp systems," the company wrote. "Although the incident has been contained and PageUp is safe to use, we sincerely regret some data may be at risk."
The HR firm said that some personal data for employees who currently or previously had access to the client's PageUp instance may be affected.
The potentially accessed information includes employee contact details, such as name, email address, street address, and telephone number, as well as employment information, such as employment status, company, and job title.
In addition, failed login attempt data from 2007 and before contained a very small amount of password data in clear text, PageUp said, advising employees who have not changed password information since 2007 to do so with urgency.
Similarly, data on job applicants may also be at risk.
Contact details including name, email address, physical address, and telephone number; biographical details including gender, date of birth, middle name, nationality, and whether the applicant was a local resident at the time of the application; and employment details at the time of the application, including employment status, company, and title, comprise the information potentially breached.
PageUp said if the application was submitted for a reference check, additional details may have also been breached, such as the applicant's technical skills, special skills, team size, length of tenure with company, reason for leaving that position, and the length of relationship between the applicant and reference.
No employment contracts, applicant resumes, Australian tax file numbers, credit card information, or bank account information was affected, however.
"PageUp has committed to advising impacted organisations and individuals if there are any new findings to arise as they complete their investigations," Head of the Australian Cyber Security Centre and National Cyber Security Adviser Alastair MacGibbon said of the incident in a statement from the Office of the Australian Information Commissioner (OAIC).
"PageUp has demonstrated a commendable level of transparency in how they've communicated about, and responded to, this incident: They came forward quickly and engaged openly with affected organisations," MacGibbon added.
The SaaS-based recruitment firm has confirmed some data was compromised in the recent malware attack it suffered.
Centennial Lawyers is considering launching a class action lawsuit against the HR SaaS provider after it suffered a malware attack and possible resulting data breach.
The OAIC has revealed to ZDNet it has received 31 notifications since the Notifiable Data Breaches scheme came into effect last month.
Data breaches can be chaotic and stressful episodes. Learn the most effective actions you can take to help plan for these turbulent events.