On 31 May 2018, PageUp People Limited (PageUp), a HR cloud service provider, announced that it was investigating a security incident after its systems were compromised by an unauthorised person following a malware infection on 23 May 2018. PageUp is a contracted service provider to IP Australia and administers a recruitment module and the Achieve module on behalf of the Agency. PageUp have now confirmed that IP Australia’s recruitment module (not the Achieve module) was compromised on this date.
IP Australia is among a number of Australian and international organisations that have been impacted by the data security incident. The IP Australia data that has been breached includes names, IP Australia email addresses, commencement dates, classification and the Australian Government Service (AGS) numbers of staff. AGS numbers are government payroll numbers and are primarily used for superannuation payments and service history.
Since IP Australia became aware of this incident on 31 May 2018, the Data Breach Response Team and ICT Security have been working with the Department of Industry, Innovation and Science and PageUp to strengthen infrastructure through the implementation of additional controls, with the support of external security specialists. The Australian Cyber Security Centre, Australian Federal Police, Office of the Australian Information Commissioner (OAIC) and independent cyber security firms continue to work with PageUp in relation to the incident. These cybersecurity experts have now confirmed that they have not identified any further threats to the PageUp system and that it is now safe to use.
As we do not know who has accessed the information involved in the breach, we advise staff to be extra vigilant at this time. You should therefore:
- regularly change your passwords and make them hard to guess;
- be wary of phishing emails by reviewing the sender of the email and be cautious of links and attachments – if in doubt, contact ICT Security; and
- avoid telephone scammers – good organisations don’t call you and then ask for your details – if in doubt, finish the call and do your own research by finding an alternative contact point and checking to see if the real organisation did call.
For any further questions, please contact IP Australia’s Privacy Officers at firstname.lastname@example.org.