Almost two weeks after human resources (HR) software provider PageUp revealed that personal data relating to its clients might have been compromised following a malware hit in May, the company has confirmed that some information was accessed.
“After extensive review we now know that certain personal data relating to our clients, applicants, references and our employees has been accessed by a cyber attacker,” the company said in a statement published on 12 June.
“Although the incident has been contained and PageUp is safe to use, we sincerely regret some data may be at risk. Given the balance of probabilities, we are taking action to inform our customers and update authorities,” the software-as-a-service (SaaS) vendor said.
While current PageUp password data is protected using the password hashing algorithm, bcrypt, which includes salts, the company said that failed login attempt data from 2007 and before contained a very small amount of password data in clear text.
“If employees have not changed their password information since 2007, it would be prudent to do this now and anywhere where they may have used the same password,” PageUp said.
While the company said it has confirmed that the threat on its systems has been contained and eradicated, it has conceded that some employee usernames and passwords may have been accessed.
At the same time, although forensic analysis is continuing, the company said that based on its current information, it believes the affected data may include names, street addresses, email addresses, and telephone numbers.
“Some employee usernames and passwords may have been accessed, however current password data is protected using industry best practice techniques including hashing and salting, and therefore is considered to be of very low risk to individuals,” PageUp said.
Some personal data for employees who currently or previously had access to the client’s PageUp instance may also be affected.
The company claims that no employment contracts, applicant resumes, Australian tax file numbers, credit card information or bank account information were affected, nor was data relating to its new starter forms, onboarding, performance, learning, compensation or succession modules was affected.
While an investigation into the incident is ongoing, PageUp said it has deployed several layers of advanced security monitoring solutions, which have not identified any ongoing malicious activity.
“We take privacy very seriously and are doing everything in our power to make our systems and security processes – and most importantly the data we hold – more secure, now and for the long-term," PageUp CEO and founder Karen Cariss said.
"We sincerely apologise to our clients, applicants and employees who may be affected by this incident,” Cariss said.
PageUp detected unusual activity on its IT infrastructure on May 23, immediately launching a forensic investigation.
On May 28, its investigations revealed that there were some indicators that client data may have been compromised.
Australia Post, among dozens of other users of the company’s platform, issued warnings to affected employees or temporarily suspended the service provided by the company.
Sydney-based law firm Centennial Lawyers subsequently revealed that it is investigating the prospects of a class action against PageUp as a result of the information breach.
A forensic investigation with assistance from an independent third party is currently ongoing.