Job applicants' data exposed in PageUp breach


By Dylan Bushell-Embling
Tuesday, 19 June, 2018


Job applicants' data exposed in PageUp breach

The names, contact details, phone numbers and job history of historical clients of online recruitment services company PageUp Limited may have been compromised in the data breach in May, the company has warned.

The breach, first disclosed by the company on 1 June, may have compromised the personal data of some users who had been using the site before 2007.

Investigation to date has found that a small number of error logs from before 2007 that may have been accessed by attackers stored incorrect failed passwords in clear text. Because failed passwords can be similar to correct passwords, this could therefore lead to a compromise of data.

Personal data that may have been exposed includes details on current and former employees of PageUp clients, job applicants and client job references. This potentially includes contact details, biographical details, employment details at the time of the application and the names and contact numbers of references.

No employment contracts, Australian tax file numbers, credit card information or bank account information, applicant resumes were affected in the breach, and there is not yet any indication that any data has been exfiltrated by the attacker.

The federal Attorney-General’s department confirmed to SBS news that some applicants at that agency may have been impacted by the incident.

In a joint statement, the Australian Cyber Security Centre, IDCARE and the Office of the Australian Privacy Commissioner praised PageUp’s proactive and transparent approach to disclosing the potential breach.

“PageUp has committed to advising impacted organisations and individuals if there are any new findings to arise as they complete their investigations,” ACSC Head Alastair MacGibbon said.

“PageUp has demonstrated a commendable level of transparency in how they’ve communicated about, and responded to, this incident: they came forward quickly and engaged openly with affected organisations.”

While IDCARE has assessed the direct risk of identity theft as a result of the incident as unlikely, it noted that other possible risks include exposure to phishing emails, telephone scam calls and other privacy concerns.

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Related Articles

Nation-state actors have their sights on the cloud

Prioritising the protection of credentials and adopting robust security measures can better...

Combating financial crime with AI

Rapid digital transformation across Australia and New Zealand has provided cybercriminals with...

Learning from the LockBit takedown

An international taskforce has seized the darknet sites run by LockBit, but relying on law...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd