After revealing last week it had fallen victim to a malware attack, HR software provider PageUp has said forensic investigations have confirmed that an unauthorised person gained access to its systems and that it is likely customer information has been accessed.
"Forensic investigations have confirmed that an unauthorised person gained access to PageUp systems," the company wrote in an update on Tuesday.
"While investigations continue, on the balance of probabilities, we believe certain personal data relating to our clients, placement agencies, applicants, references, and our employees has been accessed.
"Although the incident has been contained and PageUp is safe to use, we sincerely regret some data may be at risk."
Based on the information it currently has at hand, PageUp believes accessed data may include names, street addresses, email addresses, and telephone numbers of its clients.
"Some employee usernames and passwords may have been accessed, however current password data is protected using industry best practice techniques including hashing and salting and therefore is considered to be of very low risk to individuals," the statement continued.
"No employment contracts, applicant resumes, Australian tax file numbers, credit card information, or bank account information were affected. No data contained in our onboarding, performance, learning, compensation, or succession modules was affected."
PageUp confirmed last week it found "unusual" activity on its IT infrastructure last month, which resulted in the potential compromise of client data.
On May 23, the SaaS provider said it immediately launched the forensic investigation after malware was spotted on its system. Five days later PageUp said its suspicions were confirmed, with investigations revealing "some indicators" that client data may have been compromised.
PageUp said it is continuing to work with the Australian Cyber Security Centre, Australian Federal Police, and multiple independent cybersecurity firms to address the incident.
"We have retained one of Australia's leading cybersecurity firms to evaluate our systems and identify improvements based on the evolving landscape," the company added.
According to Sydney-based Centennial Lawyers, which on Friday announced it was considering launching a class action law suit on PageUp over potential data mishandling, companies that may have suffered at the hands of the breach include Wesfarmers-owned Coles, Target, Kmart, and Officeworks; the National Australia Bank; Telstra; the Reserve Bank of Australia; Australia Post; Medibank; the ABC; the Australian Red Cross; and the University of Tasmania.
Australia's Notifiable Data Breaches (NDB) scheme came into effect in February, requiring agencies and organisations in Australia that are covered by the Privacy Act to notify individuals whose personal information is involved in a data breach that is likely to result in "serious harm", as soon as practicable after becoming aware of a breach.
The Office of the Australian Information Commissioner (OAIC) -- which handles the NDB scheme -- issued a statement last week confirming it is in contact with PageUp and the Australian Cyber Security Centre about the incident.
PREVIOUS AND RELATED COVERAGE
Centennial Lawyers is considering launching a class action lawsuit against the HR SaaS provider after it suffered a malware attack and possible resulting data breach.
Australia's acting Information and Privacy Commissioner told Senate Estimates her office is compiling the investigation strategy and working through those matters, expecting no determination to be made in the near future.
The Office of the Australian Information Commissioner has received 63 data breach notifications in first six weeks of the scheme's operation.
Data breaches can be chaotic and stressful episodes. Learn the most effective actions you can take to help plan for these turbulent events.