This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

PageUp People

Summary

PageUp People, a widely-used Australian cloud-based HR and recruitment platform, suffered a significant data breach in May 2018 affecting multiple client organisations across Australia. As a supply chain breach, the incident compromised employee and candidate data from numerous companies that used PageUp's recruitment, onboarding, and performance management services. The breach prompted PageUp to take its entire platform offline for approximately a week while investigating and securing systems.

What Happened

In late May 2018, PageUp detected suspicious activity on its platform indicating unauthorised access to client data. The company immediately took its systems offline on 23 May to investigate the intrusion and prevent further data access. Security experts determined that attackers had gained access to databases containing information from PageUp's client organisations.

The compromised data included personal information submitted by job applicants and employees through PageUp's recruitment and HR management systems. This included names, contact details, employment histories, and in some cases, more sensitive information like dates of birth and hashed passwords. The breach affected data from multiple organisations simultaneously, making it a significant supply chain security incident.

PageUp worked with cybersecurity specialists and law enforcement to investigate how the breach occurred and the full extent of data accessed. The platform remained offline for approximately one week while security measures were implemented and systems were verified as secure.

Impact on Individuals

The breach affected job seekers and employees whose information was held in PageUp's systems on behalf of client organisations:

  • Job applicants: Individuals who had applied for positions at organisations using PageUp's recruitment platform
  • Current employees: Staff at organisations using PageUp for HR management, performance reviews, or learning systems
  • Former employees: Historical HR data maintained in the system

Potential risks included:

  • Identity theft: Combination of personal details could enable fraud
  • Targeted phishing: Email addresses and employment information could be used for convincing phishing campaigns
  • Account takeover: Hashed passwords could potentially be cracked and used for account access
  • Privacy violation: Disclosure of employment history and application details

The supply chain nature meant individuals may not have been aware their data was held by PageUp, as they interacted primarily with their employer or prospective employer.

Organisational Response

PageUp took immediate action to contain and remediate the breach:

  • Took entire platform offline within hours of detecting suspicious activity
  • Engaged external cybersecurity experts to conduct forensic investigation
  • Notified client organisations so they could inform affected individuals
  • Worked with the Australian Cyber Security Centre and law enforcement
  • Implemented enhanced security measures before restoring services
  • Required all users to reset passwords upon service restoration
  • Established dedicated communication channels for affected organisations

Client organisations using PageUp were responsible for notifying their own employees and applicants about the breach, leading to multiple separate breach notifications across different sectors.

Supply Chain Implications

The PageUp breach highlighted significant risks in HR technology supply chains:

  • Centralised risk: A single vendor breach affected multiple organisations simultaneously
  • Data aggregation: Platforms holding data from many organisations create high-value targets for attackers
  • Notification complexity: Determining who was responsible for notifying affected individuals was complex
  • Service disruption: Week-long outage affected recruitment and HR operations across multiple organisations
  • Third-party security: Organisations realised their data security depended on vendors' security practices

Major Australian companies and government agencies using PageUp were impacted, including some that subsequently conducted their own breach investigations to determine what employee data had been compromised.

Sector Impact

The breach had broader implications for the HR technology sector in Australia:

  • Increased scrutiny of cloud HR platforms' security practices
  • Greater due diligence by organisations selecting HR technology vendors
  • Enhanced contractual requirements for data security in vendor agreements
  • Recognition of HR platforms as critical business infrastructure requiring strong security

The incident contributed to growing awareness of supply chain cybersecurity risks and the need for organisations to assess not just their own security but that of their technology vendors, especially those handling sensitive employee data.

Verification Source: View original statement