​Malware hits HR software firm PageUp with possible data compromise

The company said the malware attack has potentially exposed the names and contact details of its clients, such as Telstra.

Australia-based human resources firm PageUp has confirmed it found "unusual" activity on its IT infrastructure last month, which has resulted in the potential compromise of client data.

What is malware?

Everything you need to know about viruses, trojans and malicious software

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Read More

On May 23, the SaaS provider said it immediately launched a forensic investigation after malware was spotted on its system. Five days later PageUp said its suspicions were confirmed, with investigations revealing "some indicators" that client data may have been compromised.

"If any personal data has been affected it could include information such as name and contact details. It could also include identification and authentication data e.g. usernames and passwords which are encrypted (hashed and salted)," the company said in a statement.

"There is no evidence that there is still an active threat, and the jobs website can continue to be used. All client user and candidate passwords in our database are hashed using bcrypt and salted; however, out of an abundance of caution, we suggest users change their password."

The company said that signed employment contracts and resumes are stored on different infrastructure to that which was affected; it said there is no evidence that the document storage infrastructure has been compromised.

The statement, penned by CEO and co-founder Karen Cariss, said PageUp has been working with international law enforcement, government authorities, and independent security experts to "fully investigate" the matter.

As a result, the company said it is unable to provide further detail on what information has been affected.

"Since becoming aware of unauthorised access we have been urgently analysing the impact and consequences of this incident and have engaged independent digital forensic expertise, who have been attempting to identify what, if any personal data may have been accessed," the statement continues.

"That said, we can share that the source of the incident was a malware infection. The malware has been eradicated from our systems and we have confirmed that our anti-malware signatures can now detect the malware.

"We see no further signs of malicious or unauthorised activity and are confident in this assessment."

Australian telecommunications provider Telstra has also issued a statement on the PageUp incident, as it is using the software services as part of its employee recruitment processes.

"In most cases, the personal information that could be potentially impacted is the applicant's name, phone number, application history, and email address," Telstra wrote. "For those whose applications were successful, the data in PageUp's systems may include: Date of birth, employment offer details, employee number (if a current or previous employee), pre-employment check outcomes, [and] referee details."

While Telstra said PageUp has not yet advised if any of its data was affected, the telco said it will contact impacted individuals if required.

PageUp said it has informed the UK Information Commissioner's Office and the UK National Cyber Security Centre in line with its obligations for PageUp People's own staff data, where the local arm is a data controller.

See more: How Europe's GDPR will affect Australian organisations

The Australian Cyber Security Centre and Australia's Computer Emergency Response Team have also been informed, the company confirmed, noting it has also liaised "as appropriate" with the Office of the Australian Information Commissioner (OAIC).

The OAIC reported in April it had received 63 notifications since Australia's Notifiable Data Breaches (NDB) scheme came into effect on February 22, 2018.

The Quarterly Statistics Report: January 2018-March 2018 revealed that health service providers accounted for 15 breaches; legal, accounting, and management services suffered 10; finance, including superannuation, reported eight breaches; education suffered six; and charities four.

The NDB scheme requires agencies and organisations in Australia that are covered by the Privacy Act 1988 to notify individuals whose personal information is involved in a data breach that is likely to result in "serious harm" as soon as practicable after becoming aware of a breach.

According to the OAIC, 73 percent of eligible data breaches reported involved the personal information of less than 100 individuals, with just over half of the notifications involving the personal information of between one and nine individuals.

27 percent of notifications under the NDB scheme involved more than 100 individuals, the report highlighted.

The most common kind of breached information reported to the OAIC was contact information, which was the subject of 78 percent of the total breaches reported.

Intelligence agencies, not-for-profit organisations or small businesses with turnover of less than AU$3 million annually, credit reporting bodies, and political parties are exempt from the NDB.

PREVIOUS AND RELATED COVERAGE