Singapore career website hit by PageUp malware scare

A Singapore government career website was among others affected by a malware attack on an Australian recruitment technology supplier

The Singapore government’s [email protected] website has become the latest victim of a malware attack on PageUp, its Australia-based recruitment technology provider.

PageUp recently revealed that it was investigating the attack, which had compromised its system being used by clients to manage hiring processes. The threat has since been contained and eradicated.

Besides the Singapore government, major Australian organisations and businesses such as AusPost, Commonwealth Bank and Telstra were affected.

“While investigations continue, on the balance of probabilities, we believe certain personal data relating to our clients, placement agencies, applicants, references and our employees has been accessed,” it said.

Based on its forensic analysis and current information, PageUp, which has been working with the Australian Cyber Security Centre, Australian Federal Police and multiple cyber security firms to address the incident, said the breached data could include names, street addresses, email addresses and telephone numbers.

Some employee user names and passwords could also have been accessed, though PageUp said “password data is protected using industry best practice techniques including hashing and salting and therefore is considered to be of very low risk to individuals”.

It added that no employment contracts, applicant resumes, tax file numbers, credit card information or bank account information were affected.

In the aftermath of the data breach, some PageUp clients such as Commonwealth Bank have taken their jobs pages offline as a precautionary measure. Singapore’s [email protected] website continues to be available at press time.

William Tam, director of sales engineering at Forcepoint Asia-Pacific, said while the PageUp incident is not the largest breach in recent history, the affected countries span multiple regions, many with their own unique levels of regulatory requirements.

Given this is the first major breach to happen after the launch of the General Data Protection Regulation (GDPR), Tam said it will be the first example of how action will be taken by the European Union (EU).

“With an investigation now launched, how the Europe Data Protection Board participate in the investigation will be watched closely by many around the world, including the regulatory authorities outside the EU that make up the remainder of the 190 impacted countries,” he added.

“Organisations should see this as an insight into the future of how data breaches will be handled under new regulations, and use this as a wake-up call to improve their posture today, to avoid being tomorrow’s headline.”

Under Australia’s mandatory data breach notification regime, government agencies and businesses covered by the Privacy Act must notify individuals affected by a data breach. Singapore is also looking to roll out similar rules under a set of proposed changes to the Personal Data Protection Act.

Read more about cyber security in APAC

Read more on Data breach incident management and recovery