31 July 2018

On 31 May 2018, PageUp People Limited (PageUp), a HR cloud service provider, announced that it was investigating a security incident after its systems were compromised by an unauthorised person following a malware infection on 23 May 2018. PageUp is a contracted service provider to IP Australia and administers a recruitment module and the Achieve module on behalf of the Agency. PageUp have now confirmed that IP Australia’s recruitment module (not the Achieve module) was compromised on this date. 

IP Australia is among a number of Australian and international organisations that have been impacted by the data security incident. The IP Australia data that has been breached includes names, IP Australia email addresses, commencement dates, classification and the Australian Government Service (AGS) numbers of staff.  AGS numbers are government payroll numbers and are primarily used for superannuation payments and service history.

Since IP Australia became aware of this incident on 31 May 2018, the Data Breach Response Team and ICT Security have been working with the Department of Industry, Innovation and Science and PageUp to strengthen infrastructure through the implementation of additional controls, with the support of external security specialists. The Australian Cyber Security Centre, Australian Federal Police, Office of the Australian Information Commissioner (OAIC) and independent cyber security firms continue to work with PageUp in relation to the incident. These cybersecurity experts have now confirmed that they have not identified any further threats to the PageUp system and that it is now safe to use.

As we do not know who has accessed the information involved in the breach, we advise staff to be extra vigilant at this time. You should therefore: 

  • regularly change your passwords and make them hard to guess;
  • be wary of phishing emails by reviewing the sender of the email and be cautious of links and attachments – if in doubt, contact ICT Security; and
  • avoid telephone scammers – good organisations don’t call you and then ask for your details – if in doubt, finish the call and do your own research by finding an alternative contact point and checking to see if the real organisation did call.

For further information on how to protect your identity and respond to identity concerns please read OAIC’s data breach guidance and OAIC’s recommendations about what to do next.

IP Australia has obligations under the Privacy Act 1988 (Act) to take reasonable steps to protect the personal information it holds from misuse, interference, loss, unauthorised access, modification or disclosure. IP Australia’s Data Breach Response Team are continuing to investigate the incident and will ensure that the agency meets its obligations under the Act. You can access IP Australia’s Privacy Policy and PageUp’s response to the data breach.

For any further questions, please contact us.