Australian company PageUp has announced a suspected data breach, potentially putting the personal details of thousands at risk.

In February this year, Australia brought in mandatory data breach reporting. Under the new legislation, companies who suspect a data breach must immediately report the incident to affected clients and customers.

The cloud-based HR software provider with 2.6 million users across 190 countries discovered suspicious activity on its system on the 23rd of May this year. It undertook a forensic investigation that confirmed an incident had occurred and client data could potentially have been compromised.

The PageUp software is used by clients for recruitment as well as other HR activities which may involve a wealth of personal information such as names, phone numbers, employment history, date of birth, employee numbers, referee details, pre-employment check information, salary details, bank details, tax numbers, addresses and drivers licence numbers. Sets of data may vary depending on what the service is used for.

PageUp believes that the threat is no longer active. It also confirmed that all passwords were encrypted and if any data were compromised it may include identification and authentication data including usernames and encrypted passwords. PageUp has stated that all signed contracts and resumes are stored separately and there is no evidence to show that this separate infrastructure was compromised.

The breach is being investigated by law enforcement and cybersecurity professionals. Regulators have also been informed, including the UK Information Commissioner’s Office (ICO) and the Office of the Australian Information Commissioner (OAIC). The Australian Cyber Security Centre (ACSC) and UK National Cyber Security Centre (NCSC) are also aware of the breach.

PageUp said that it informed the UK Information Commissioner’s Office and the UK National Cyber Security Centre in line with its obligations for PageUp’s own staff data.

The ICO confirmed it’s investigating the breach.

Mr MacGibbon, head of the ACSC, confirmed the breach and advised all PageUp users to change their passwords.

PageUp’s clients include Telstra, NAB, Coles, Target, Kmart, Officeworks, Australia Post, Aldi, Lindt, Medibank, Linfox, Reserve Bank of Australia, ABC, Australian Red Cross and a number of universities.

Many of PageUp’s clients have issued statements to their employees and candidates to inform them of the breach and the potential impacts on their information. The companies are taking precautionary actions, some suspending or ceasing to use the software until verified as secure, closing website career portals and putting recruitment activity on hold in the interim.

The investigation is ongoing, but PageUp has confirmed the source of the incident was a malware infection which has since been eradicated from its systems.

BBC News: