Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.
In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.
So without further ado, our breach of the month for June, 2018 is… the user data breach at PageUp.
PageUp is an Australian provider of cloud-based software for recruiting, hiring, onboarding, performance reviews, and other human resources activities. The company disclosed in early June that they had detected unusual activity on their IT system. Days later, this was confirmed to be a malware attack. An investigation soon determined that users’ personal data had likely been accessed by the attackers. It is not known how many people were impacted, but the company has more than two million active monthly users.
The data that was compromised may have included usernames, passwords, names, email addresses, street addresses, phone numbers, and employment information—all belonging to employees of, or applicants to, organizations that use PageUp software. PageUp uses bcrypt to hash plain-text passwords, except for some plain text password data from 2007 and earlier, so user passwords are considered to be at low risk in the breach.
A Sydney law firm is putting together a class action lawsuit against PageUp on behalf of users whose data was exposed, and several high-profile organizations that use PageUp have suspended their connections to the system.
It’s not yet publicly known how the attack occurred. PageUp simply disclosed that an unauthorized person gained access to their systems. PageUp is working with a cybersecurity firm to evaluate and improve their systems, as well as law enforcement and regulators to address the incident.
PageUp seems to have done a lot of things right. They used appropriate encryption controls on password data at rest, and they practice internal data segregation, which appears to have restricted the scope of the attack. They have said that many critical data categories, including Australian tax file numbers, were not exposed, as well as all the data from several of their software modules.
For companies like PageUp, who store massive amounts of customer data, it is prudent to ensure that systems are in place to quickly detect and report breaches. The PageOne breach presumably now falls under the jurisdiction of GDPR, and also required reporting to Australia’s Office of the Information Commissioner under recent amendments to Australia’s Privacy Act. As we have described elsewhere, solutions like D3 can be instrumental in meeting strict breach notification requirements.
For companies that are evaluating vendors like PageUp that will be handling sensitive information, the vendor’s commitment to information security should be an important criterion. Too many companies are pouring resources into their own security processes, only to be exposed when a vendor misconfigures an AWS cloud storage bucket, or makes some other mistake. D3 takes the responsibility of handling customer data very seriously, and even helps customers prevent internal information security leaks, using granular access controls, and eliminating reliance on insecure emails and spreadsheets during incident response.
Thanks for joining us. We’ll see you back here next month for a new Data Breach of the Month.