The personal details of thousands of Australians have potentially been compromised, with HR company PageUp, which counts Telstra, NAB, Coles, Australia Post, Aldi and Medibank as clients, revealing a massive data breach.
- PageUp provides HR software support to Australia's largest companies in retail and banking
- It is unclear how many Australians are affected by the breach, which could include bank details and superannuation in some cases
- The company said they had informed the Australian Cyber Security Centre about the breach
PageUp, which boasts 2 million active users across 190 countries, posted a statement from chief executive Karen Cariss on its website, saying it had noticed "unusual activity" in its IT infrastructure on May 23.
The company has launched an investigation, while its client companies also released emergency statements to their employees and candidates who had applied for jobs using PageUp's software.
The company has a long list of major Australian companies as clients, with the ABC confirming Target, Telstra, Reserve Bank of Australia, Medibank, Officeworks, Kmart, NAB, Aldi, Linfox, Coles, Australia Post and Lindt as clients of the company.
Some companies used PageUp's software only for recruitment, while others used the technology for more expansive human resources information like salary information, bank details, tax numbers and other sensitive personal data.
Bank details and TFNs may be part of breach
Australia Post said the types of personal information that could have been compromised for successful job applicants to the postal service were bank details, Tax File Numbers, superannuation details, home addresses and drivers licence numbers.
However, in most cases job applicants who were not successful would have only supplied limited information like names and email addresses.
Australia Post said it was contacting job applicants to advise them of the issue.
"As a proactive step, we have also ceased use of PageUp's systems while we seek assurances from PageUp about data security," a spokesperson said.
Clients close careers portals
Medibank suspended its careers webpage after being notified of the PageUp data breach and was "working with PageUp to determine whether the data of its applicants has been compromised".
Telstra said it was holding "urgent discussions" with PageUp to understand the impact on the telco's job applicants and employees.
All recruitment activity that had not progressed beyond a written offer was on hold, a Telstra spokesperson said.
The Australian Red Cross said it had stopped using the PageUp recruitment system as a precaution, and sought to reassure blood donors their sensitive information was not exposed.
"This incident only relates to recruitment-related activity … [and] does not affect the Red Cross Blood Service and the data security of its blood donors in any way," a spokesperson said.
Wesfarmers said its retail businesses Coles, Kmart, Target and Officeworks used PageUp to manage employment applications and employee information and had suspended all connections to the HR company's systems.
Job applicants in 'recent years' warned
A Wesfarmers spokesperson said the company was not currently aware of "any inappropriate activity relating to anyone's data" as a result of the breach.
Australian companies using PageUp:
- Wesfarmers: Coles, Target, Kmart, Officeworks
- Reserve Bank of Australia
- Australia Post
- Australian Red Cross
If you know of any more companies that use PageUp or have been affected by this security breach, please contact email@example.com
"However, we recommend that any person who has applied online for a position with these businesses in recent years check to ensure that there has been no recent unusual activity concerning personal information they may have supplied during the employment process, for example bank accounts, and maintain a close watch on the use of their personal information."
Coles also put out a statement on its careers webpage saying it was a client of the technology provider and had "suspended all connections between Coles' systems and PageUp's systems".
Coles recommended that anyone who had applied for a job at Coles in the past 18 months should check to ensure there was no "recent unusual activity concerning their personal information".
PageUp is also used by the ABC in a limited way to manage its recruitment processes.
"The ABC uses PageUp to support its career portal and recruitment processes, but does not in any way collect personal details such as bank accounts, Tax File Numbers or superannuation information," an ABC spokesperson said.
"We have not received any information from the company about the data breach but have contacted them to seek more details."
First major breach since new laws
University of Canberra cyber security expert Nigel Phair said the incident appeared to be the first major breach since the Government introduced mandatory data-breach reporting rules in February.
Under the new legislation, companies which suspect they have been the target of a data breach must immediately report the incident to customers and clients who may be affected.
"It is difficult to say whether this is the biggest data breach we have experienced in Australia, because in the past companies were not compelled to report breaches to authorities," Adjunct Professor Phair said.
"What this demonstrates is that all Australian companies, not just financial institutions, need to take cybersecurity seriously."
PageUp said it would not be commenting beyond the statement the company had already provided, saying it did not want to compromise its investigation of the data breach.
The company's statement said PageUp had notified the Australian Cyber Security Centre and engaged with Australia's Computer Emergency Response Team and equivalent United Kingdom authorities.