​PageUp could face class action over potential data mishandling

Centennial Lawyers is considering launching a class action lawsuit against the HR SaaS provider after it suffered a malware attack and possible resulting data breach.

Human resources software firm PageUp could find itself up against a class action lawsuit, after it revealed earlier this week it had fallen victim to a malware attack that potentially compromised client information.

Centennial Lawyers, which last year filed a class action lawsuit against the New South Wales Ambulance Service in the Supreme Court of NSW after it compromised sensitive personal and health information of NSW Ambulance workers, has said it is considering a class action against PageUp.

According to the Sydney-based law firm, companies that may have suffered at the hands of the malware attack include Wesfarmers-owned Coles, Target, Kmart, and Officeworks; the National Australia Bank (NAB); Telstra; the Reserve Bank of Australia; Australia Post; Medibank; the ABC; the Australian Red Cross; and the University of Tasmania.

See also: Australian Information Commissioner commends Red Cross for data breach response

"Employers owe a duty to keep highly personal information confidential, not only of their workers but also those that are applying for work. This can often include financial information and even medical information required as part of an induction process," principal solicitor of Centennial Lawyers A/Prof. George Newhouse said.

"Companies, and those that provide services to them, must take adequate steps to protect their employees' or potential employees' information. This case highlights the damage that can be done if security is breached."

Citing class action cases overseas due to the mishandling of information by affairs-based dating service Ashley Madison and search engine Yahoo, Newhouse said similar cases are only now starting to be issued in Australia and that action against PageUp would reaffirm the importance of protecting people's data that contains personal, sensitive, or confidential information.

PageUp confirmed earlier this week it found "unusual" activity on its IT infrastructure last month, which has resulted in the potential compromise of client data.

On May 23, the SaaS provider said it immediately launched a forensic investigation after malware was spotted on its system. Five days later PageUp said its suspicions were confirmed, with investigations revealing "some indicators" that client data may have been compromised.

"If any personal data has been affected it could include information such as name and contact details. It could also include identification and authentication data e.g. usernames and passwords which are encrypted (hashed and salted)," the company said in a statement.

"There is no evidence that there is still an active threat, and the jobs website can continue to be used. All client user and candidate passwords in our database are hashed using bcrypt and salted; however, out of an abundance of caution, we suggest users change their password."

NAB took the proactive measure to suspended its use of PageUp earlier this week, with the bank's chief privacy officer Jade Haar saying an active investigation has commenced to ascertain what data, if any, has been affected.

"In most cases, the personal information that could be potentially impacted is the applicant's name, phone number, application history, and email address," Telstra similarly wrote.

"For those whose applications were successful, the data in PageUp's systems may include: Date of birth, employment offer details, employee number (if a current or previous employee), pre-employment check outcomes, [and] referee details."

Australia's Notifiable Data Breaches (NDB) scheme came into effect in February, requiring agencies and organisations in Australia that are covered by the Privacy Act to notify individuals whose personal information is involved in a data breach that is likely to result in "serious harm", as soon as practicable after becoming aware of a breach.

The Office of the Australian Information Commissioner (OAIC) -- which handles the NDB scheme -- issued a statement earlier this week confirming it is in contact with PageUp and the Australian Cyber Security Centre about the incident.

PREVIOUS AND RELATED COVERAGE