The personal details of thousands of Australians have potentially been compromised, with HR company PageUp, which counts Telstra, NAB, Coles, Australia Post, Aldi and Medibank as clients, revealing a massive data breach.

PageUp, which boasts two million active users across 190 countries, posted a statement from chief executive Karen Cariss on its website, saying it had noticed “unusual activity” in its IT infrastructure on May 23.

The company has launched an investigation, while its client companies also released emergency statements to their employees and candidates who had applied for jobs using PageUp’s software.

The company has a long list of major Australian companies as clients, with the ABC confirming Target, Telstra, Reserve Bank of Australia, Medibank, Officeworks, Kmart, NAB, Aldi, Linfox, Coles, Australia Post and Lindt as clients of the company.

Australian Government departments are also involved in the data breach, with the ABC confirming the Attorney-General’s Department as a PageUp client.

“Initial advice has indicated that no sensitive data has been compromised,” a department spokesperson said.

Some companies used PageUp’s software only for recruitment, while others used the technology for more expansive human resources information like salary information, bank details, tax file numbers and other sensitive personal data.

Criminals looking for new ways to ‘wreak havoc’

PageUp’s company statement said it had notified the Australian Cyber Security Centre (ACSC) and engaged with Australia’s Computer Emergency Response Team and equivalent United Kingdom authorities.

Head of the ACSC Alistair MacGibbon said the centre was working with PageUp to investigate the security breach.

“There has been a breach. There has been malicious code executed inside PageUp’s systems and criminals may have access to an amount of documentation, we just don’t know exactly what it is,” Mr MacGibbon said.

“Any breach is bad and our job in the government is to reduce the likelihood of these events happening. But, unfortunately, the reality is that criminal groups are always looking at new ways to steal credentials and wreak havoc on our society.”

Mr MacGibbon recommended any PageUp users change their passwords.

Bank details and TFNs may be part of breach

Australia Post said the types of personal information that could have been compromised for successful job applicants to the postal service were bank details, tax file numbers, superannuation details, home addresses and driver’s licence numbers.

However, in most cases job applicants who were not successful would have only supplied limited information like names and email addresses.

Australia Post said it was contacting job applicants to advise them of the issue.

“As a proactive step, we have also ceased use of PageUp’s systems while we seek assurances from PageUp about data security,” a spokesperson said.

Clients close careers portals

Medibank suspended its careers webpage after being notified of the PageUp data breach and was “working with PageUp to determine whether the data of its applicants has been compromised”.

Telstra said it was holding “urgent discussions” with PageUp to understand the impact on the telco’s job applicants and employees.

All recruitment activity that had not progressed beyond a written offer was on hold, a Telstra spokesperson said.

The Australian Red Cross said it had stopped using the PageUp recruitment system as a precaution, and sought to reassure blood donors their sensitive information was not exposed.

“This incident only relates to recruitment-related activity … [and] does not affect the Red Cross Blood Service and the data security of its blood donors in any way,” a spokesperson said.

Wesfarmers said its retail businesses Coles, Kmart, Target and Officeworks used PageUp to manage employment applications and employee information and had suspended all connections to the HR company’s systems.

Job applicants in ‘recent years’ warned

A Wesfarmers spokesperson said the company was not currently aware of “any inappropriate activity relating to anyone’s data” as a result of the breach.

“However, we recommend that any person who has applied online for a position with these businesses in recent years check to ensure that there has been no recent unusual activity concerning personal information they may have supplied during the employment process, for example bank accounts, and maintain a close watch on the use of their personal information.”

Coles also put out a statement on its careers webpage saying it was a client of the technology provider and had “suspended all connections between Coles’ systems and PageUp’s systems”.

Coles recommended that anyone who had applied for a job at Coles in the past 18 months should check to ensure there was no “recent unusual activity concerning their personal information”.

PageUp is also used by the ABC in a limited way to manage its recruitment processes.

“The ABC uses PageUp to support its career portal and recruitment processes, but does not in any way collect personal details such as bank accounts, tax file numbers or superannuation information,” an ABC spokesperson said.

“We have not received any information from the company about the data breach but have contacted them to seek more details.”

First major breach since new laws

University of Canberra cyber security expert Nigel Phair said the incident appeared to be the first major breach since the government introduced mandatory data-breach reporting rules in February.

Under the new legislation, companies which suspect they have been the target of a data breach must immediately report the incident to customers and clients who may be affected.

“It is difficult to say whether this is the biggest data breach we have experienced in Australia, because in the past companies were not compelled to report breaches to authorities,” Adjunct Professor Phair said.

“What this demonstrates is that all Australian companies, not just financial institutions, need to take cybersecurity seriously.”

PageUp said it would not be commenting beyond the statement the company had already provided, saying it did not want to compromise its investigation of the data breach.

–ABC