[BreachExchange] Malware hits HR software firm PageUp with possible data compromise

Inga Goddijn inga at riskbasedsecurity.com
Wed Jun 6 23:22:38 EDT 2018


https://www.zdnet.com/article/malware-hits-hr-software-firm-pageup-with-possible-data-compromise/

Australia-based human resources firm PageUp has confirmed it found
"unusual" activity on its IT infrastructure last month, which has resulted
in the potential compromise of client data.

On May 23, the SaaS provider said it immediately launched a forensic
investigation after malware was spotted on its system. Five days later
PageUp said its suspicions were confirmed, with investigations revealing
"some indicators" that client data may have been compromised.

"If any personal data has been affected it could include information such
as name and contact details. It could also include identification and
authentication data e.g. usernames and passwords which are encrypted
(hashed and salted)," the company said in a statement.

"There is no evidence that there is still an active threat, and the jobs
website can continue to be used. All client user and candidate passwords in
our database are hashed using bcrypt and salted; however, out of an
abundance of caution, we suggest users change their password."

The company said that signed employment contracts and resumes are stored on
different infrastructure to that which was affected; it said there is no
evidence that the document storage infrastructure has been compromised.

The statement, penned by CEO and co-founder Karen Cariss, said PageUp has
been working with international law enforcement, government authorities,
and independent security experts to "fully investigate" the matter.

As a result, the company said it is unable to provide further detail on
what information has been affected.

"Since becoming aware of unauthorised access we have been urgently
analysing the impact and consequences of this incident and have engaged
independent digital forensic expertise, who have been attempting to
identify what, if any personal data may have been accessed," the statement
continues.

"That said, we can share that the source of the incident was a malware
infection. The malware has been eradicated from our systems and we have
confirmed that our anti-malware signatures can now detect the malware.

"We see no further signs of malicious or unauthorised activity and are
confident in this assessment."

Australian telecommunications provider Telstra has also issued a statement
on the PageUp incident, as it is using the software services as part of its
employee recruitment processes.

"In most cases, the personal information that could be potentially impacted
is the applicant's name, phone number, application history, and email
address," Telstra wrote. "For those whose applications were successful, the
data in PageUp's systems may include: Date of birth, employment offer
details, employee number (if a current or previous employee),
pre-employment check outcomes, [and] referee details."

While Telstra said PageUp has not yet advised if any of its data was
affected, the telco said it will contact impacted individuals if required.

PageUp said it has informed the UK Information Commissioner's Office and
the UK National Cyber Security Centre in line with its obligations for
PageUp People's own staff data, where the local arm is a data controller.

See more: How Europe's GDPR will affect Australian organisations

The Australian Cyber Security Centre and Australia's Computer Emergency
Response Team have also been informed, the company confirmed, noting it has
also liaised "as appropriate" with the Office of the Australian Information
Commissioner (OAIC).

The OAIC reported in April it had received 63 notifications since
Australia's Notifiable Data Breaches (NDB) scheme came into effect on
February 22, 2018.

The Quarterly Statistics Report: January 2018-March 2018 revealed that
health service providers accounted for 15 breaches; legal, accounting, and
management services suffered 10; finance, including superannuation,
reported eight breaches; education suffered six; and charities four.

The NDB scheme requires agencies and organisations in Australia that are
covered by the Privacy Act 1988 to notify individuals whose personal
information is involved in a data breach that is likely to result in
"serious harm" as soon as practicable after becoming aware of a breach.

According to the OAIC, 73 percent of eligible data breaches reported
involved the personal information of less than 100 individuals, with just
over half of the notifications involving the personal information of
between one and nine individuals.

27 percent of notifications under the NDB scheme involved more than 100
individuals, the report highlighted.

The most common kind of breached information reported to the OAIC was
contact information, which was the subject of 78 percent of the total
breaches reported.

Intelligence agencies, not-for-profit organisations or small businesses
with turnover of less than AU$3 million annually, credit reporting bodies,
and political parties are exempt from the NDB.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180606/1428a288/attachment.html>


More information about the BreachExchange mailing list