PageUp data breach – list of organisations affected (and what you should do)

 

There is every chance that you have received several emails concerning a potential breach of personal information as a result of the PageUp IT security issue. Sydney-based PageUp is a human resource outsourcing company that manages recruitment applications for an array of organisations, Local Government and Commonwealth Government departments.

Boasting 2 million active users across 190 countries, PageUp said it discovered “unusual activity” in its IT systems across Australia, Singapore, and the UK in late May, 2018. In accordance with  Australia’s Privacy Act Notifiable Data Breaches (NDB) scheme, Page-Up went public with the breach on Friday, 1 June, 2018 and, in parallel, engaged both security specialists and law enforcement. The Australian Cyber Security Centre, Australian Federal Police and multiple independent expert cybersecurity firms continue to investigate the incident.

Inner Circle does not use PageUp, but some of our clients do.

The breach was a result of malware that provided an unauthorised third-party access to the personal data of hundreds of thousands of job applicants, referees, employees and contractors dating back to 2007, if not earlier. The Tasmanian Government alone has had 120,000 job seekers impacted.

Inner Circle does not use PageUp, but some of our clients do.

Job applicants’, employees’ and former employees’ names, email and physical addresses, phone numbers, biographical details such as date of birth, gender, country of residence, and employment details are suspected to have been compromised.

PageUp claims that no employment contracts, applicant resumes, tax file numbers, credit card information or bank account information were affected. They also claim the hack has been eradicated and cybersecurity professionals were reviewing its systems to improve security.

Despite the assurances, a number of customers have suspended their job websites with PageUp, reinforcing just how damaging a data breach can be for business. In addition, there are also class actions being floated and the threat of the new GDPR penalties of €20 million, or 4% of their global turnover due to their European expansion.

The full impact of the breach will be discovered in due course. Whether PageUp will recover from the breach, is another matter altogether.

PageUp has “a couple of hundred corporate customers including government” according to Australian Cyber Security Centre Head, Alastair MacGibbon. Media reports and Google searches show the list of companies and Government departments affected by the breach include:

 

  • Aegis
  • AGL
  • AHPRA
  • Airservices
  • Aldi
  • Allens Linklaters
  • Alinta Energy
  • AMP
  • Armaguard
  • ANZ Asahi
  • Aurecon Group
  • Aurizon
  • Ausgrid
  • Australia Post
  • Australian Broadcasting Corporation
  • Australian Catholic University
  • Australian Department of Defence
  • Australian National University
  • Australian Office of Financial Management
  • Australian Red Cross
  • Australian Venue Co.
  • Bankwest
  • Bauer Media
  • Bendigo Bank
  • BMD
  • Boral
  • BP
  • Broad Constructions
  • BUPA
  • Canon Information Systems Research Australia
  • Charles Sturt University
  • CIMIC Group
  • City of Casey
  • City of Greater Dandenong
  • City of Monash
  • City of Yarra
  • Cleanaway
  • Cochlear
  • Commonwealth Bank
  • Country Road Group (including Mimco, Politix, Trenery and Witchery)
  • CPB Contractors
  • CSR
  • Carlton & United Breweries
  • David Jones
  • Department of Industry, Innovation and Science

 

  • Downer Group
  • DuluxGroup
  • EBOD (including Symbion)
  • Employers Mutual
  • EnergyAustralia
  • Enerven
  • Essential Energy
  • Estee Lauder
  • Evolution Mining
  • Federal Attorney General’s Office
  • Federation University
  • Flight Centre Travel
  • Flinders University
  • Fortescue Metals Group
  • Foxtel
  • Fulton Hogan
  • Grant Thornton Australia
  • Harvey Norman (including Domayne and Joyce Mayne)
  • HCF
  • HydroTasmania
  • ISS
  • Jetstar
  • Just Group (Dotti, Jacqui E, Jay Jays, Just Jeans, Peter Alexander, Portmans and Smiggle)
  • Kathmandu
  • KPMG
  • Landmark
  • Latrobe University
  • Lindt
  • Linfox
  • Macquarie Group
  • Macquarie University
  • Maurice Blackburn
  • Marsh
  • Medibank
  • Melbourne Water
  • Metcash
  • Michael Hill
  • MinterEllison
  • Mission Australia
  • Mitchell Shire Council
  • Momentum Energy
  • Monash University
  • Myer
  • National Archives of Australia
  • National Australia Bank
  • Network TEN
  • Newcrest Mining
  • NIB
  • Orica

 

  • Powerlink
  • Programmed
  • Queensland Rail
  • Queensland Urban Utilities
  • RAC
  • Randstad
  • Reserve Bank of Australia
  • RMIT
  • SA Health
  • SA Power Networks
  • SA Water
  • Salmat
  • Scentre Group
  • Sensis
  • Seven West Media
  • Simplot Australia
  • Singapore Government Careers
  • SMEC
  • Sony
  • Southern Cross Austereo
  • Sportsbet
  • Spotless
  • Stanwell
  • Star Entertainment
  • Suncorp
  • Sussan Group (Sussan, Sportsgirl & Suzanne Grae)
  • Tabcorp
  • TAC
  • Tasmanian Government
  • Tatts Group
  • Telstra
  • The Star Entertainment Group
  • Thiess
  • Transdev
  • Treasury Department
  • Unicef
  • University of Adelaide
  • University of Melbourne
  • University of Tasmania
  • Ventia
  • Victoria University
  • Village Roadshow
  • Virgin Australia
  • Watpac
  • Wesfarmers (Coles, Kmart, Officeworks and Target)
  • Workcover Queensland
  • Zurich

 

Our clients have proactively offered transparency and visibility by communicating details to those affected by personal email and in some cases, public notices.

This list is not exhaustive. Please check the careers portals of any company, government department or university where you have applied for a job in recent years to see if they have posted a notification about the breach.

As a whole, our clients have proactively offered transparency and visibility by communicating details to those affected by personal email and in some cases, public notices.

If you have applied for a job or been onboarded through PageUp, the Office of the Australian Information Commissioner (OAIC) suggests you should contact PageUp at [email protected]. If you are not satisfied with their response, you can contact the OAIC directly with your concerns at https://www.oaic.gov.au or on 1300 363 992.

If you suspect you could be a victim of identity fraud due to the PageUp data breach, or have received a data breach notification from the Australian Government over the incident, the OAIC has posted advise on what you should do at https://www.oaic.gov.au/individuals/data-breach-guidance/what-to-do-after-a-data-breach-notification.

To reiterate, Inner Circle does not use PageUp, but some of our clients do. If you have questions, please contact us.

 


Ready to get started?

There is a better way. Consulting. Evolved.

Subscribe to receive our updates

Agile failure