Published on:
May 17, 2018
On Friday 1 June 2018 PageUp Limited, an online recruitment services organisation, notified their customers about a data incident in relation to the integrity of their systems – proactively informing of a possible breach.
PageUp self-identified suspicious activity on its network and undertook immediate actions to investigate and contain the incident. PageUp notified their corporate customers and the Australian Cyber Security Centre (ACSC) of the issue, enabling the ACSC to quickly assess the incident and support PageUp in their response. In line with the new Notifiable Data Breaches (NDB) scheme, PageUp also notified the Office of the Australian Information Commissioner (OAIC). PageUp is in contact with its corporate clients to facilitate notification to individuals.
Although investigations are ongoing, PageUp believes that certain information pertaining to staff members, applicants and referees was accessed by an unauthorised third party. Further information about the types of information affected can be found at PageUp’s website. PageUp has advised that no employment contracts, applicant resumes, Australian tax file numbers, credit card information or bank account information were affected.
While recognising that investigations are ongoing and that the situation may therefore change, the ACSC emphasises that there is a significant distinction between information being accessed (which means there has been a systems breach) and information being exfiltrated by the offender. In other words, no Australian information may actually have been stolen.
IDCARE is Australia’s expert community identity and cyber support service and has been working with impacted organisations and members of the community in relation to this incident.
Dave Lacey, Managing Director, IDCARE says:
‘Whilst it is important to acknowledge that breached personal information impacts people in different ways, based on investigations undertaken to date by PageUp. At this point IDCARE assesses that the direct risk of identity theft is unlikely. Identity thieves typically require other forms of personal information to successfully manipulate this type of data, such as driver licence, passport, and account details, in order to obtain credit in a person’s name or or undertake other related acts of impersonation. IDCARE assesses that there are other risks that are likely to be more relevant to impacted individuals, including the possibility of phishing emails, telephone scam calls, and specific risks to individuals concerned about their contact information, physical address, and employment details (and applications) becoming known to third parties.’
PageUp has provided public updates, and has held multiple corporate customer information sessions facilitated through the ACSC to help keep affected organisations informed.
Alastair MacGibbon, Head of the Australian Cyber Security Centre and National Cyber Security Adviser says:
‘PageUp has committed to advising impacted organisations and individuals if there are any new findings to arise as they complete their investigations. PageUp has demonstrated a commendable level of transparency in how they’ve communicated about, and responded to, this incident: they came forward quickly and engaged openly with affected organisations.’
Consistent with previous advice, the OAIC, ACSC and IDCARE jointly recommend that individuals who believe their information may be held by one or more of the organisations impacted should consider the following measures:
For further information on how to protect your identity and respond to identity concerns please visit the OAIC’s data breach guidance for individuals and IDCARE’s Learning Centre.
For general easy-to-use information for the public and small to medium businesses, visit the Australian Cyber Security Centre’s Stay Smart Online website.
To report a cyber security incident visit the Australian Cyber Security Centre’s website.
To notify the Office of the Australian Information Commissioner of an eligible data breach involving personal information, organisations should use the the OAIC's Notifiable Data Breach form.
Alastair MacGibbon Head of the Australian Cyber Security Centre and National Cyber Security Adviser
Angelene Falk Acting Australian Information Commissioner and acting Australian Privacy Commissioner
Dave Lacey Managing Director, IDCARE
A spike in scams targeting the Chinese-Australian community.
more info
THE “GAMIFICATION” OF DATA BREACHES. How internet forums are playing with your personal details.
more info
Wire fraud in this instance includes the payment to scammers and fraudsters.
more info
Mon - Fri: 8am - 5pm AEST
QLD: 07 3555 5900
ACT & NSW: 02 8999 3356
VIC: 03 7018 2366
NT, SA & WA : 08 7078 7741
Mon - Fri: 10am - 7pm NZST
AKL: 09 884 4440
IDCARE has access to the Department of Social Services’ Free Interpreting Service, delivered by the Translating and Interpreting Service (TIS National). Access to the Free Interpreting Service is provided to assist you to communicate with non-English speaking people who hold a Medicare card. Please note that the service does not extend to New Zealand citizens or residents who do not hold an Australian Medicare card, or to tourists, overseas students or people on temporary work visas.
The National Relay Service (NRS) is a government initiative that allows people who are deaf, hard of hearing and/or have a speech impairment to make and receive phone calls.
The NRS is available 24 hours a day, every day and relays more than a million calls each year throughout Australia.
Ask our Case managers for more information on how this service will help you.
IDCARE as a registered charity does not ask individuals to donate or pay for our front line services. We are not a charity that can receive tax deductible donations.
We rely on organisations that care enough about you to care about us to keep our charitable service going. Proudly these organisations are displayed above and on our Subscriber Organisations page. If you are asked for payment you are encouraged to report this to IDCARE via our Report Phishing page.