Seven West and Bauer Media hit by PageUp People recruitment platform breach
Bauer and Seven West Media are among the victims of a security breach on an Australian recruitment platform that has seen job seekers’ personal details potentially compromised.
Melbourne-based HR service PageUp People has been debilitated after it detected ‘unauthorised activity’ on its network in late May. Since the announcement, large clients including Bauer, Seven West, Telstra and Coles have suspended their services with the company.
PageUp co-founder Karen Cariss: “Out of an abundance of caution, we suggest users change their password”
Last night, Bauer sent out messages to those whose data has been potentially compromised, warning they should change passwords and be wary of phishing attacks from fraudsters using the personal details taken from the system.
Among those receiving the message from Bauer were some industry figures who claimed they had never applied for a job with the company. Mumbrella understands their details were most probably entered into the system by recruitment agencies.
Seven West Media hasn’t sent out a warning to affected job seekers, however they have suspended use of the company’s platform with its job seeker page now saying online recruitment services are suspended until SWM is confident data is secure.
Karen Cariss, CEO and co-founder of the service said in a statement: “PageUp detected unusual activity on its IT infrastructure and immediately launched a forensic investigation. On May 28, 2018 our investigations revealed that we have some indicators that client data may have been compromised, a forensic investigation with assistance from an independent 3rd party is currently ongoing.
“We take cyber security very seriously and have been working together with international law enforcement, government authorities and independent security experts to fully investigate the matter.
“There is no evidence that there is still an active threat, and the jobs website can continue to be used. All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password.”
The company has an updated page on the security breach with advice for people concerned about their private information.
PageUp declined to answer Mumbrella’s questions about whether any other media companies have been affected or the number of potentially compromised individual accounts.
The text of Bauer’s warning message is below:
Important Notification about PageUp Security Incident
It has come to our attention that as a result of a recent security incident at PageUp, a vendor that provides certain hiring-related information services to Bauer Media, some of your personal details may have been accessed by an unauthorised person and possibly disclosed.
What has happened?
We have been advised that forensic investigations by PageUp have confirmed that an unauthorised person gained access to PageUp systems and personal data relating to clients, job applicants, references andPageUp employees. PageUp has provided more information on the incident here: PageUp Security Incident Update
How could I be impacted?
PageUp’s forensic experts have identified that compromised data may include names, street addresses, email addresses, and telephone numbers. Some employee usernames and passwords may have been accessed but are protected using encryption.
Importantly, PageUp has advised that it is confident that the most critical data categories including resumes, financial information, Australian tax file numbers, employee performance reports and employment contracts are not affected in this incident.
Are PageUp systems safe to use?
PageUp has advised that the incident has been contained on PageUp systems, and that PageUp is safe to use. Further security measures have been implemented to guard against any similar incidents in the future.
For general information about how you can protect your data privacy, visit the Australian Competition and Consumer Commission website at www.scamwatch.gov.au; and for NZ the Commerce Commission in New Zealand www.comcom.govt.nz.
What should I do?
If you are concerned your data may have been accessed by an unauthorised party, we advise that as a minimum you perform the following good security practices:
- Change your passwords on other online services, if you re-use the same password
- Enable multi-factor authentication and other available security measures provided by your other online services
- Be aware of potential phishing emails and telephone calls from businesses or institutions requesting your personal details. Avoid opening attachments from unknown senders via email or social media
- Install anti-virus software and keep it updated
- Apply all recommended software patches from operating system and software providers.
http://www.abc.net.au/careers/
User ID not verified.
Yep, got that email about 3 times, and literally had no idea:
1) What PageUp even was
2) Why they might have my details
3) What external tool I might have used that was connected to PageUp, and
4) Why their communication didn’t tell me any of this.
User ID not verified.
‘…some industry figures who claimed they had never applied for a job with the company.’
Possibly listed as a reference / referee for a someone who did apply for a role with the company, meaning email address would be in the company system.
User ID not verified.
…although I got my email from Virgin Airlines and have no idea what their affiliation is or what purpose PageUp serve!
User ID not verified.
@Liz
PageUp is like a “mini-website” that you plug into your own overall site, specifically for job search, managing applications, interviews etc. The idea is that instead of having to create all this functionality yourself, you get something standard from them at a lower cost. Companies like Monster.com do the same for HR.
Funniest quote here being
“PageUp co-founder Karen Cariss: “Out of an abundance of caution, we suggest users change their password””
Ridiculous statement in that PageUp is installed separately on each site it works with, so you’d have to (a) remember all of the the jobs/companies you applied for where you forced to use their functionality, and (b) then visit all of them and go through the application you no longer trust. Presuming (c) you can still access it given “large clients including Bauer, Seven West, Telstra and Coles have suspended their services with the company.”
Every time I’m looking for a new job I find it incredibly tedious having to add my career and other details into these ugly, complicated interfaces that match what the company wants, for roles that often have a clunky automated “algorithm” that throws out 95% of people arbitrarily anyways.
And now as well as being a horrible user experience, it’s exposing your private data as well. Good one!
User ID not verified.