Human resources management software company PageUp, which services many of the ASX200, has been forced to alert clients that their data could have been compromised thanks to a data breach, forcing major employers across the country to suspend their careers websites.
The business, which was founded by husband and wife team Karen and Simon Cariss 20 years ago, was originally started as a recruitment platform to manage job applications, but has since expanded to include employee onboarding, performance management, learning and development and succession planning.
It counts companies such as AMP, Commonwealth Bank, ANZ, Asahi, Telstra, Coles and Newcrest as customers.
“On May 23, 2018, PageUp detected unusual activity on its IT infrastructure and immediately launched a forensic investigation. On May 28, 2018 our investigations revealed that we have some indicators that client data may have been compromised, a forensic investigation with assistance from an independent third party is currently ongoing,” chief executive Karen Cariss said in a statement published on the company’s website.
“We take cyber security very seriously and have been working together with international law enforcement, government authorities and independent security experts to fully investigate the matter.”
Following the disclosure of the data breach, some of the country’s largest companies were forced to suspend their jobs portals.
Coles said in a statement on its careers website that it had made the decision to suspend all the connections between Coles’ systems and PageUp while it obtained information on the extent of the data breach.
“We have asked for urgent responses from PageUp and are also conducting our own investigations,” the supermarket said in a statement.
“Coles is not currently aware of any fraudulent activity relating to anyone’s data occurring as a result of the security breach. However, we recommend that any person who has applied online for a position with Coles in the past 18 months check to ensure that there has been no recent unusual activity concerning their personal information and maintain a close watch on the use of their personal information.”
Australia Post also confirmed it had shut down its careers website thanks to the PageUp breach, telling job applicants on its website that information that could have been impacted includes bank details, tax file number and superannuation details, diversity information, emergency contact details, their address and contact details, as well as work experience and their license.
Other businesses to suspend their jobs websites include Telstra and AGL. Telstra said in a statement to The Australian Financial Review that it had held “urgent discussions” with PageUp and decided to shut down its jobs page while its investigation is ongoing.
PageUp was not commenting beyond the statement on its website, which stated that it had informed the Australian Cyber Security Centre, Australia’s Computer Emergency Response Team (who may notify the Australian Federal Police), as well as the UK Information Commissioner’s Office.
It also said that the source of the breach was a malware infection and that it had now been eradicated from its computer systems and that it had beefed up its cyber security controls in response to the incident.
The disclosure from the HR tech company comes less than a month after Family Planning NSW suffered a ransomware attack which could have exposed personal information of 8000 clients, collected from patients via its website. Medical records were not exposed.
These types of disclosures are expected to become more and more common in the wake of the notifiable data breach scheme, which was implemented in February.
The first report by the Office of the Australian Information Commissioner in April revealed that in the first six weeks of the new laws, there had been 63 notifications.
Last month Europe also enacted its General Data Protection Regulation (GDPR), which also mandates the disclosure of data breaches, tough penalties and also specifies that business processes that handle personal data must be built with “data protection by design and by default” and use the highest possible security settings as default.
In November PageUp told The Australian Financial Review its share of revenue outside of Australia had surpassed 50 per cent for the first time.