PageUp: No Sign of Data ExfiltrationBut Old Error Logs Contained Clear Text of Incorrect Passwords
Human resources software developer PageUp says it doesn't appear that personal data exposed in a malware attack was actually removed from its systems. But it has also found authentication error logs that recorded incorrect login attempts from before 2007 in clear text.
PageUp's third update comes as it continues to investigate a breach discovered on May 28. Five days prior, malware infected the company's systems, putting at risk jobseekers' personal data including, at minimum, names, email addresses, physical addresses and phone numbers.
"A small number of PageUp error logs from before 2007 may have contained incorrect failed passwords in clear text."
The company, which has clients worldwide, also said that usernames and passwords may have been breached. The passwords, however, were hashed using bcrypt and "salted," a security measure that makes it more difficult to discover the plain-text password.
But its latest update indicates that some clear-text passwords, albeit incorrect ones, may have been exposed.
"A small number of PageUp error logs from before 2007 may have contained incorrect failed passwords in clear text," PageUp says. "Because failed passwords can be similar to correct passwords, if employees have not changed their password information since 2007, it would be prudent to do this now and anywhere where they may have used the same password."
Tim de Sousa, a principal at the consultancy elevenM, says that finding begs questions why PageUp would still be retaining potentially sensitive log data 11 years later.
Australia's Privacy Act 1988 contains 13 privacy principles, one of which says that organizations should discard data that is no longer required for a lawful purpose, he says. But de Sousa notes many organizations face challenges around knowing where all their data resides and applying uniform security controls.
But mastering data governance has its advantages, including prompt deletion of data no longer needed. "You can't lose what you don't have," de Sousa says.
Regulator: PageUp 'In Line'
The breach may be one of the largest to affect an Australian company since a mandatory breach notification requirement went into effect on Feb. 22. In April, the Office of the Australian Information Commissioner issued statistics on breaches reported so far under the scheme.
Of the 63 incidents, only six affected more than 1,000 people. Three affected between 10,000 and 99,999 people.
PageUp hasn't said how many people are affected by its breach, and it isn't required under law to do so. But the company counts more than 2 million active monthly users in 90 countries.
None of its updates have indicated a geographical or other boundary on those potentially affected, although PageUp did notify the U.K.'s Office of the Information Commissioner.
The OAIC appears to approve of PageUp's handling of the incident. In a joint statement with IDCare and the Australian Cyber Security Centre on Monday, the OAIC says PageUp's notifications have fallen in line with requirements.
PageUp directly notified the OAIC and its clients, which include large blue-chip companies and organizations in Australia, including Commonwealth Bank, Australia Post, Coles, Telstra and governmental departments such as the attorney general's office.
Those organizations have been emailing people who applied for jobs using PageUp's systems via their own portals.
PageUp's update also resolves some discrepancies between what data it said was at risk and what data its clients were telling job applicants were at risk.
The company initially said that names, email addresses, physical addresses and phone numbers were potentially affected. But an examination by ISMG of public notifications posted by PageUp customers shows that the data at risk depended also on whether a job application was successful (see PageUp Breach: Job Winners Hit Hardest).
For example, Telstra says the data at risk for successful candidates may include birth dates, nationality, employment offer details, employee numbers for either current or former employees, pre-employment check outcomes and referee details. The grocery chain Aldi also says successful applicants may have had their birth date, employment offer details and employee numbers breached.
The company's update now accounts for those differences. In addition, it says some nonpersonal information for client agencies may have been disclosed, including "publicly available job information, system communications and approval requests related to postings and system information related to service level integrations."
Likewise for individuals, "client's agency contact's login details, including name, email address, physical address, and telephone number are among those potentially affected."
de Sousa says the PageUp incident illustrates how companies should be careful when choosing a third-party supplier and consider the impact if something goes wrong.
"If you are going to trust a third party with your information or you are going to trust them to collect it, you are trusting them with your corporate reputation."
—Tim de Sousa, elevenM
PageUp offers a highly customizable, cloud-based human resources software that has proved attractive to many organizations, de Sousa says. PageUp's software is embedded within a company's website, so it may not be clear to the end user that they're using a different service when applying for positions.
Companies need to take that into account when engaging in supplier relationships, de Sousa says.
"If you are going to trust a third party with your information or you are going to trust them to collect it, you are trusting them with your corporate reputation," he says.
Several PageUp customers publicly said they cut off data connections to the company, even after PageUp said the malware had been removed from its systems and maintained there was no ongoing risk.