PageUp has confirmed that some data held on its clients may be at risk, after revealing earlier this month it had fallen victim to a malware attack.
"Forensic investigations have confirmed that an unauthorised person gained access to PageUp systems," the company wrote at the weekend. "Although the incident has been contained and PageUp is safe to use, we sincerely regret some data may be at risk."
The HR firm said that some personal data for employees who currently or previously had access to the client's PageUp instance may be affected.
The potentially accessed information includes employee contact details, such as name, email address, street address, and telephone number, as well as employment information, such as employment status, company, and job title.
In addition, failed login attempt data from 2007 and before contained a very small amount of password data in clear text, PageUp said, advising employees who have not changed password information since 2007 to do so with urgency.
Similarly, data on job applicants may also be at risk.
Contact details including name, email address, physical address, and telephone number; biographical details including gender, date of birth, middle name, nationality, and whether the applicant was a local resident at the time of the application; and employment details at the time of the application, including employment status, company, and title, comprise the information potentially breached.
PageUp said if the application was submitted for a reference check, additional details may have also been breached, such as the applicant's technical skills, special skills, team size, length of tenure with company, reason for leaving that position, and the length of relationship between the applicant and reference.
According to the company, resumes, financial information, Australian tax file numbers, employee performance reports, and employment contracts are not affected.
PageUp confirmed on June 5 it found "unusual" activity on its IT infrastructure last month, which resulted in the potential compromise of client data.
On May 23, the SaaS provider said it immediately launched the forensic investigation after malware was spotted on its system. Five days later, PageUp said its suspicions were confirmed, with investigations revealing "some indicators" that client data may have been compromised.
PageUp said it is continuing to work with the Australian Cyber Security Centre, Australian Federal Police, and multiple independent cybersecurity firms to address the incident.
"We have retained one of Australia's leading cybersecurity firms to evaluate our systems and identify improvements based on the evolving landscape," the company added.
According to Sydney-based Centennial Lawyers, which announced it was considering launching a class action law suit on PageUp over potential data mishandling, companies that may have suffered at the hands of the breach include Wesfarmers-owned Coles, Target, Kmart, and Officeworks; the National Australia Bank; Telstra; the Reserve Bank of Australia; Australia Post; Medibank; the ABC; the Australian Red Cross; and the University of Tasmania.
Australia's Notifiable Data Breaches (NDB) scheme came into effect in February, requiring agencies and organisations in Australia that are covered by the Privacy Act to notify individuals whose personal information is involved in a data breach that is likely to result in "serious harm", as soon as practicable after becoming aware of a breach.
The Office of the Australian Information Commissioner (OAIC) -- which handles the NDB scheme -- is in contact with PageUp and the Australian Cyber Security Centre about the incident.
"We have confirmed that the threat on our systems has been contained and eradicated," PageUp added. "We have deployed several layers of advanced security monitoring solutions, which have not identified any ongoing malicious activity. We believe these additional layers of advanced security will help prevent a similar incident in the future."