Lessons from the PageUp data breach

This article was originally published 16 October 2018.

When an organisation experiences a data breach, the response must be swift, coordinated and professional. If not, the consequences can be far reaching.

A recent Australian example is the coordinated attack on PageUp, an online recruitment management platform.

What happened?

On 23 May 2018 PageUp notified the public that it had detected unusual activity within its information systems in Australia, Singapore and the UK, indicating that an unauthorised party had accessed the personally identifiable information of the users of the PageUp platform. This data included names, street addresses, email addresses, telephone numbers, gender, dates of birth and employment details. Imagine what could be done by with this information by people with the wrong intentions!

By 27 June 2018 (more than one month after the initial breach was brought to the attention of the public), the PageUp CEO couldn’t provide an update on the number of records impacted, yet media estimated it at 120,000. In the world of cyber security one month is a very long time.

What was the impact?

For PageUp, the impact has been severe. Customers who were impacted by the breach included the likes of the Commonwealth Bank, The Australian Broadcasting Corporation, Telstra, NAB, Coles, Aldi and Australia Post – along with many other high profile and sizeable organisations and government departments.

Many customers lost faith in the platform and cancelled their contracts in the wake of the breach, while some of those who have stayed on board still don’t have a functional recruitment platform, while others have resorted to manual processes.

Regulatory consequences have also been serious given reporting obligations for EU based customers (as per the General Data Protection Regulation (GDPR)) and under the Notifiable Data Breaches Scheme.

To add further pain, PageUp has delayed its Australian Securities Exchange listing, which was planned to have commenced this year.  This data breach caused reputational and brand damage to PageUp, which will likely result in financial impacts to their business. 

The impact on the individuals who had their information breached must also be considered, as they are now exposed to a direct risk of identity theft and fraud.

What can we learn?

There is no denying that PageUp has found itself in a very unfortunate situation. No organisation would want to be faced with the negative media coverage PageUp received. 

The best way to protect against a cyber attack is to be proactive.

  • Understand what your critical assets are
  • Know who would want to compromise or damage them (or who may want to in the future), and how they would try to do it
  • Have a plan to respond to a cyber security incident – test and exercise it to make sure you know how to use it when you need it
  • Ensure your organisation understands how to work together towards recovering from a cyber security incident – a coordinated response is key.

Be prepared

Does cyber security feature on your organisation's risk radar? The 2018/2019 BDO and AusCERT Cyber Security Survey is now open. Participate today to help benchmark your organisation’s cyber risk and data breach preparedness. To discuss your organisation’s cyber preparedness in detail please contact Leon Fouche, National Leader, Cyber Security.