PageUp Breach: 'No Specific Evidence' of Data ExfiltrationBut Forensic Investigation Shows Attackers Had Exfiltration Tools in Place
Australian human resources software developer PageUp says it has found "no specific evidence" that attackers removed data after the company warned in May that it had been breached. But investigators have found that attackers installed all of the tools they would have needed to exfiltrate data.
See Also: The Global State of Online Digital Trust
PageUp's breach update, posted on its website, closes the loop on what has proved to be a lengthy and challenging investigation into the incident, which the company discovered on May 23.
The company's conclusion, reached nearly six months after it learned it had been hacked, demonstrates how long it can take a company to thoroughly investigate a breach, as well as the backlash that companies may endure as investigators scramble to uncover facts.
"A detailed forensic investigation on the PageUp security incident in May this year has concluded that while an attacker was successful in installing tools that could exfiltrate data, no specific evidence was found that data was exfiltrated," the company says.
Klein & Co., a forensics and consulting firm based in Sydney, reached the conclusion, PageUp says. But PageUp hasn't revealed how attackers were able to infiltrate its systems or what kind of malware they installed. It's also not clear how robust its intrusion detection or logging systems might have been, which could potentially have sped up breach detection as well as mitigation efforts.
Many large companies in Australia use PageUp, including Commonwealth Bank, Aldi, Telstra, the ABC, Coles, Australia Post and Officeworks. Many of those companies stopped using PageUp while the company investigated the attack, which somewhat hampered companies' hiring practices (see: HR Service Provider PageUp Discloses Data Breach).
"A detailed forensic investigation on the PageUp security incident in May this year has concluded that while an attacker was successful in installing tools that could exfiltrate data, no specific evidence was found that data was exfiltrated."
PageUp develops a range of cloud-based applications that companies use to screen employees, onboard new workers and manage performance reviews. It also has software for managing contractors, as well as their payrolls and time sheets. PageUp says it has 2 million active monthly users in 90 countries.
PageUp's breach was perhaps the most prominent such incident to occur in Australia this year. Companies that use PageUp's software sent out notices to those who had applied for jobs using the systems. Those emails caused a fair amount of anxiety because of the kinds of data collected from job seekers.
PageUp leaned toward the worst-case scenario after the incident became public, in what proved to be an honest but also bullet-biting move that triggered a backlash.
"While investigations continue, on the balance of probabilities, we believe certain personal data relating to our clients, placement agencies, applicants, references and our employees has been accessed," PageUp CEO Karen Cariss warned customers in a breach update the company had released on June 12.
The company warned the exposed data may have included names, street addresses, email addresses and phone numbers. It said that those who had successfully gained employment as a result of a job application filed through its systems were at a greater risk. Those individuals may have had their birth dates, nationalities, employment offer details, employment numbers, pre-employment checks and referee details exposed (see: PageUp Breach: Job Winners Hit Hardest).
PageUp also recommended that all users change their passwords. The breach potentially exposed their names, email addresses and authentication credentials. But the passwords were hashed with bcrypt and also salted, which is considered a good practice and makes leaked hashes less vulnerable to password cracking attempts.
PageUp bore the brunt of public outrage since its breach affected so many people in Australia that had used its systems.
The company drew praise, however, for its quick response, including from the Australian Cyber Security Center, the Office of the Australian Information Commissioner and IDCare, an organization that helps people recover from ID theft.
PageUp "demonstrated a commendable level of transparency" and quickly engaged with those affected, said Alastair MacGibbon, head of the Australian Cyber Security Center, in a joint statement on June 18.
PageUp notified its customers as well as the ACSC and the OAIC, which enforces the country's data protection regulations. An amendment to Australia's Privacy Act 1988 that went into effect in February requires certain organizations to report data breaches that have a risk of causing serious harm (see: Australia Enacts Mandatory Breach Notification Law).
The law applies to companies and governmental organizations that are covered by the Privacy Act, but excludes from the reporting requirement businesses that have less than 3 million Australian dollars ($2.2 million) in annual revenue. Fines for violating the law range from AU$360,000 for individuals to AU$1.8 million for organizations.
PageUp also disclosed the breach to the U.K. Information Commissioner's Office, which enforces privacy rules, including the EU's General Data Protection Regulation, across the United Kingdom.