‘Small amount’ of password-related data stored as plaintext, PageUp says

Australian HR SaaS provider PageUp has confirmed that on the “balance of probabilities” it believes that “data relating to our clients, placement agencies, applicants, references and our employees has been accessed” during a security breach that the company revealed earlier this month.

The company said that data affected by the breach may include information relating to employees of PageUp customers who had access to the SaaS platform (including their name, email address, physical address, and telephone number) as well as employment information, such as employment status, company and title.

The company said that current PageUp password data has been hashed and salted and “therefore is considered to be of very low risk to individuals”.

However in a statement the company also revealed that “failed login attempt data from 2007 and before contained a very small amount of password data in clear text.”

(An updated statement from the company said: “A small number of PageUp error logs from before 2007 may have contained incorrect failed passwords in clear text. Because failed passwords can be similar to correct passwords, if employees have not changed their password information since 2007, it would be prudent to do this now and anywhere where they may have used the same password.”)

The data of individuals who applied for jobs with companies that used PageUp is also likely to have been accessed, including data such as contact details, biographical details and employment details.

“Password data for applicants was protected using industry best practice techniques, including hashing and salting and therefore evaluated as a very low risk,” PageUp said.

Data relating to employment references were also affected. However the company reaffirmed its initial assessment that the “the most critical data categories including resumes, financial information, Australian tax file numbers, employee performance reports and employment contracts are not affected in this incident”.

“We take privacy very seriously and are doing everything in our power to make our systems and security processes – and most importantly the data we hold – more secure, now and for the long-term,” PageUp CEO and founder Karen Cariss said in a statement released last week.

“We sincerely apologise to our clients, applicants and employees who may be affected by this incident.”

The company has said that “advanced methods” were used to access its systems in Australia, Singapore and the UK in May.

A number of prominent Australian businesses have been affected by the breach, including Coles, NAB, Telstra, Linfox, Tatts Group, Michael Hill, Lindt, the Reserve Bank of Australia, Telstra, Australia Post and Wesfarmers. 

Sydney law firm Centennial Lawyers revealed earlier this month that it is investigating the potential for a class action against PageUp.