Australia's Attorney-General's Department said some of its staff may have been impacted in the recent breach affecting human resources software firm PageUp. The company confirmed earlier this month that an "unauthorized person" gained access to its systems, compromising customer data.
The HR company said some personal data for employees who currently or previously had access to the client's PageUp instance may have been affected.
What data was compromised?
Potentially compromised data included employee contact details such as names, email addresses, street addresses and telephone numbers along with employee details such as employment status, company and job title.
Job applicants' data were also potentially compromised in the breach which includes contact details such as names, email addresses, physical addresses and telephone numbers, biological data such as gender, dates of birth, middle name, nationality and if the application was a local resident at the time of the application. Employment details such as employment status, company and title were also potentially accessed.
"If the application was submitted for a reference check, then the following additional details may have been provided by the reference: technical skills, special skills, team size, length of tenure with company, reason for leaving that position (if applicable), and the length of relationship between the applicant and reference," PageUp said in a statement.
However, no employment contracts, resumes, Australian tax file numbers, credit card data or bank account data were affected, the company said.
Who was affected?
Multiple Australian companies including Coles, Telstra, Wesfarmers, the National Australia Bank, Australia Bank, ABC, Medibank, Jetstar, Target, Suncorp, Commonwealth Bank and more who use PageUp's technology were also potentially affected by the breach.
The AGD's recruitment team also confirmed in an email to job applicants that it was "possible that some of your personal details which were held in PageUp's systems may have been accessed by an unauthorized person and possibly disclosed to others".
"Our department has a contractual relationship with PageUp in respect of particular recruitment services," AGD said in a statement. "We are aware of the data security breach and are in close contact with the Australian Cyber Security Centre and PageUp as they conduct a forensic analysis in relation to the breach."
In a statement from the Office of the Australian Information Commissioner (OAIC), Head of the Australian Cyber Security Centre and National Cyber Security Adviser Alastair MacGibbon said: "PageUp has committed to advising impacted organisations and individuals if there are any new findings to arise as they complete their investigations. PageUp has demonstrated a commendable level of transparency in how they’ve communicated about, and responded to, this incident: they came forward quickly and engaged openly with affected organisations."
The Australian Cyber Security Centre (ACSC), the Office of the Australian Information Commission (OAIC) and IDCARE - the Australian and New Zealand national identity support service - said in a joint statement that it is possible no Australian information "may have actually been stolen" in the breach. The authorities noted there is a difference between data being "accessed" and "stolen" in a security incident.
"Whilst it is important to acknowledge that breached personal information impacts people in different ways, based on investigations undertaken to date by PageUp, at this point IDCARE assesses that the direct risk of identity theft is unlikely," Dave Lacey, managing director of IDCARE, said in a statement. "Identity thieves typically require other forms of personal information to successfully manipulate this type of data, such as driver licence, passport, and account details, in order to obtain credit in a person’s name or related acts of impersonation."