At least three major Australian organisations have suspended recruitment activities following a malware infection at their recruitment portal provider PageUp People, amid concerns job applicants’ personal information was compromised.
Telstra, Australia Post and the Reserve Bank of Australia this week released advisories or notices on their websites after learning of the breach.
“[PageUp People] have advised us that their investigation is continuing and while this is occurring we have suspended our use of their services,” Telstra human resources group executive Alex Badenoch wrote in a blog post.
“This includes all current recruitment activity that has not been progressed past a written offer being placed on hold.”
Australia Post also confirmed it was in the midst of dealing with the issue, with a post on its site confirming its awareness of the breach and that it had for the time being ceased using PageUp to process job applications.
“Although we started using PageUp for online recruitment in October 2016, the recruitment system started collecting more extensive personal information from May 2017,” the postage provider wrote.
The Reserve Bank's careers portal has been disabled, with a note on the website telling users: "The Reserve Bank of Australia has suspended links to PageUp People from its careers page following advice from PageUp People that there has been unauthorised activity on its global IT system."
Telstra’s Badenoch said user data impacted by the breach could potentially include dates of birth, employee numbers, pre-employment check outcomes and referee details – although PageUp said all data was encrypted.
PageUp this week revealed it had detected unusual activity on its IT network in late May and launched an investigation that revealed client data may have been compromised.
“We take cyber security very seriously and have been working together with international law enforcement, government authorities and independent security experts to fully investigate the matter,” PageUp chief executive Karen Cariss wrote in an advisory on the company’s website.
“There is no evidence that there is still an active threat, and the jobs website can continue to be used. All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password.”
The company said it had taken steps to further harden its infrastructure, that investigations were ongoing and that signed employment contracts stored on PageUp servers were safe as they are contained on different infrastructure.
PageUp said it had notified the Australian Cyber Security Centre and other security bodies and consultants.
The company's other recruitment portal clients include Lindt, Linfox, Zurich and Victoria University.