Thousands of Australians are again being notified that their personal information was potentially compromised after a vendor that powers jobs and recruitment sites for companies around the world experienced a breach.
The Australian Cyber Security Centre (ACSC) is investigating the breach of Australian-based recruiting company PageUp to determine the full impact. ACSC continues its efforts to identify what data, if any, was compromised. Those likely to be most affected are in large part based in Australia.
“PageUp has indicated the incident is contained and the threat has been removed. They contacted the ACSC for advice and support, and have also informed the Office of the Australian Information Commissioner (OAIC) of the incident,” ACSC wrote in today’s news story.
As part of its incident response plan, PageUp has announced that there was unauthorized activity on its IT systems. The news has set off alarm bells for employers and job seekers alike. Major clients that rely on the recruitment firm include, among several others, the Reserve Bank of Australia, Australia Post, University of Tasmania, Australian Red Cross and Commonwealth Bank.
Though the company said that all client passwords are hashed using bcrypt and salted, it recommends users change their passwords as an added safety precaution.
CEO and co-founder Karen Cariss said that the suspicious activity was first noticed on its IT infrastructure on 23 May 2018. The company immediately launched a forensic investigation. “On May 28, 2018 our investigations revealed that we have some indicators that client data may have been compromised, a forensic investigation with assistance from an independent 3rd party is currently ongoing,” Cariss wrote, adding there are no indications that an active threat still exists.
“Today, companies across the world are finding out that the path to their data is being provided by PageUp. For enterprises that don’t have a detailed understanding of the risks introduced by each and every third party in their digital ecosystem, it’s not a matter of if but when their data will be exposed by a third party. It’s like playing Russian roulette with your data, and that’s a game that rarely ends well,” said Scott Schneider, CRO at CyberGRX.