PageUp is an Australian firm. Their business is a Human Resources software provider. PageUp has a global presence with 2M users across 190 countries. The vast number of these clients are corporate. These include Wesfarmers (Coles, Target, Kmart, and Officeworks), NAB, Telstra, Commonwealth Bank, Lindt, Aldi, Linfox, Reserve Bank of Australia, Australia Post, Medibank, ABC, Australian Red Cross, University of Tasmania, AGL, and Jetstar.
PageUp unfortunately was on the receiving end of a successful malware attack. This took the form of an unauthorized person gaining access to its system. The precise method or attack point has not been published yet.
The focus with this attack was not in this case encrypting their servers or destroying the data, as with ransomware or other malicious acts. Data acquisition was the end-goal. As noted, the attack was successful. The attackers were able to access their customer’s information. This was the data relating to the client’s personal data (i.e. names, street address, email address, telephone numbers, bank details, tax file numbers, diversity information, and emergency contact information), placement agencies, applicants, references, and own employees. The passwords may have been accessed, however per the company these were hashed.
For this attack to be successful, there was a significant amount of activity. PageUp detected what the company noted as “unusual” activity with its IT infrastructure in May 2018. PageUp began their forensic investigation on May 23, 2018. The detection took the form of malware being detected on its systems. Fortunately, the investigation confirmed this as the issue five days later. The business is working with the Australian Cyber Security Centre, several third party cybersecurity firms, and the Australian Federal Police.
This was a substantial issue. As noted, this was detected internally by their systems. Until this was resolved the business did not accept new apps. Due to the level of penetration into the business, a portion of the customers were still wary and treating the situation cautiously.
Nearly every person is familiar with GDPR. This new set of laws in the EU is focused on the data security for the people in the EU and is rather far-reaching. This affects not only businesses in the EU, but anyone holding, managing, or processing any of this data.
PageUp has interests and works in the EU. The breach and compromise may be considered a violation of the GDPR. PageUp may possibly face a massive fine of up to 4%of their global turnover. The business is also dealing with other issues, including reputational problems, costs associated with the forensic work, and potential for a class action lawsuit.
The data exfiltrated was confidential and personal, and marketable by the attackers. The data and amount of data was great for person’s seeking to perpetrate identity fraud. The affected clients have years of potential issues to deal with including monitoring their credit for fraudulent charges and accounts.
Bunker, G. (2018, June 11). What the pageup data breach means in a post-GDPR world. Retrieved from https://www.informationsecuritybuzz.com/expert-comments/what-the-pageup-data-breach/
Crozier, R. (2018, June 12). PageUp people all but confirms personal data ‘accessed’. Retrieved from https://www.itnews.com.au/news/pageup-people-all-butconfirms-personal-data-accessed-493481
Davies, A. (2018, June 7). PageUp data breach: Thousands of job seekers’ details potentially exposed. Retrieved from https://www.theguardian.com/technology/2018/jun/07/thousands-of-job-seekers-details-potentially-exposed-in-hack
Duerden, J. (2018, June 12). Blame pageup breach on security industry. Retrieved from https://www.theaustralian.com.au/business/technology/blame-pageup-breach-on-security-industry/news-story/
Duke, J. (2018, June 11). PageUp data breach: ABC, Asoki, Myer, Macquarie pull jobs pages. Retrieved from https://www.smh.com.au/business/companies/pageup-data-breach-abs-asaki-myer-macquerie-pull-jobs-pages-20180611-p4zktj.html
McLean, A. (2018, June 12). PageUp says it is ‘probable’ customer data was externally accessed. Retrieved from https://www.zdnet.com/article/pageup-says-it-is-probable-customer-data-was-externally-accessed/
Paganini, P. (2018, June 6). HR software firm pageup is the last victim of a data breach, the company has 2.6 million active users across over 190 countries. Retrieved from https://securityaffairs.co/wordpress/73242/data-breach/pageup-data-breach.html
PageUp. (2018, June 12). Unauthorized activity on IT system. Retrieved from https://www.pageuppeople.com/unauthorized-activity-on-it-system/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.