UPDATE
Human resource firm PageUp warned customers its backend infrastructure was infected with malware and as a result customers’ sensitive information such as names, contacts and passwords may have been breached.
A week after the initial announcement of the malware, on June 12, PageUp said that after extensive review it now knows that certain personal data relating to clients, applicants, references and employees has, in fact, been accessed by a cyber attacker.
“We continue to run forensic analysis, but based on our current information we believe the affected data may include names, street addresses, email addresses, and telephone numbers,” PageUp said in a statement. “Some employee usernames and passwords may have been accessed, however current password data is protected using industry best practice techniques including hashing and salting, and therefore is considered to be of very low risk to individuals.”
PageUp said that no employment contracts, applicant resumes, Australian tax file numbers, credit card information or bank account information were affected. Further, no data pertaining to its Onboarding, Performance, Learning, Compensation or Succession Modules was affected.
“We have confirmed that the threat on our systems has been contained and eradicated,” said PageUp. “We have deployed several layers of advanced security monitoring solutions, which have not identified any ongoing malicious activity. We believe these additional layers of advanced security will help prevent a similar incident in the future.”
PageUp provides recruitment and unified talent management software for an array of companies. The security incident left many of these customers – including banks and universities – scrambling to notify their own end users. It serves as yet another reminder that third-party software and services are susceptible to dangerous security breaches impacting customers downstream.
After detecting “unusual activity” on its IT infrastructure on May 23, PageUp said it found indicators that client data may have been compromised. That includes names and contact details, such as usernames and encrypted passwords.
While a forensic investigation with assistance from an independent third-party is currently ongoing, “There is no evidence that there is still an active threat, and the jobs website can continue to be used. All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password,” said Karen Cariss, CEO and co-founder of PageUp in a statement posted Tuesday.
The source of the incident was a malware infection, said PageUp. “The malware has been eradicated from our systems and we have confirmed that our anti-malware signatures can now detect the malware. We see no further signs of malicious or unauthorised activity and are confident in this assessment,” said the company.
PageUp did not respond to an email from Threatpost asking about the breadth of the potential breach or further details about the malware. “As a result of ongoing investigations and potential law enforcement involvement, we are limited in what technical details we can disclose since we do not want to impact these efforts,” said the company in a post.
PageUp touts two million customers globally. Many of these users had their own notices up on the “Careers” pages of their websites to indicate they temporarily suspended connections with PageUp’s systems due to the potential breach. That includes customers like Australian grocery store Coles, the University of Tasmania and Medibank.
Medibank said in a statement that data from its job applicants and employees may have been compromised – including identity document details, tax file numbers, financial details and other personal information.
Malware targeting third-party systems has been an easy way for attackers to access enterprise and customer data.
That has been true with malware targeting point of sale systems to breach restaurant customer data, including an incident involving Applebee’s in March, as well as malware targeting third party HVAC systems to breach retail store data, including the infamous Target breach.
And that trend won’t stop any time soon, Scott Schneider, chief revenue officer at CyberGRX, told Threatpost.
“Unless something changes, I think this trend of third-party attacks will continue to get worse,” said Schneider. “From Target to the SWIFT Network, there have been high-profile third-party attacks for a long time, and still not a week goes by without a new one popping up. The interconnected nature of our digital ecosystems is a great thing for facilitating the flow of business, but unfortunately there’s a flip side. It also makes it easier for attackers to find soft spots to access our data. It’s become the path of least resistance – and I can’t imagine why they would stop now when they’re having so much success.”
Attackers are targeting these types of systems simply because it’s profitable, said Schneider. “Too many organizations think that their responsibility to safeguard data ends where their network does despite mountains of evidence to the contrary,” he told Threatpost. “It’s not a matter of a few simple steps. Organizations need to fundamentally change the way they approach managing third-party risk, and that means more collaboration.”
PageUp said as the ongoing investigation continues, it has notified the Australian Cyber Security Centre and engaged with Australia’s Computer Emergency Response Team. The company suggested that all users change their passwords.
This article was updated on 6/12 at 8:53 a.m. with an update from PageUp about the impact and scope of the data compromise.