Singapore career website hit by PageUp malware scare

A Singapore government career website was among others affected by a malware attack on an Australian recruitment technology supplier

The Singapore government’s Career@Gov website has become the latest victim of a malware attack on PageUp, its Australia-based recruitment technology provider.

PageUp recently revealed that it was investigating the attack, which had compromised its system being used by clients to manage hiring processes. The threat has since been contained and eradicated.

Besides the Singapore government, major Australian organisations and businesses such as AusPost, Commonwealth Bank and Telstra were affected.

“While investigations continue, on the balance of probabilities, we believe certain personal data relating to our clients, placement agencies, applicants, references and our employees has been accessed,” it said.

Based on its forensic analysis and current information, PageUp, which has been working with the Australian Cyber Security Centre, Australian Federal Police and multiple cyber security firms to address the incident, said the breached data could include names, street addresses, email addresses and telephone numbers.

Some employee user names and passwords could also have been accessed, though PageUp said “password data is protected using industry best practice techniques including hashing and salting and therefore is considered to be of very low risk to individuals”.

It added that no employment contracts, applicant resumes, tax file numbers, credit card information or bank account information were affected.

In the aftermath of the data breach, some PageUp clients such as Commonwealth Bank have taken their jobs pages offline as a precautionary measure. Singapore’s Career@Gov website continues to be available at press time.

William Tam, director of sales engineering at Forcepoint Asia-Pacific, said while the PageUp incident is not the largest breach in recent history, the affected countries span multiple regions, many with their own unique levels of regulatory requirements.

Given this is the first major breach to happen after the launch of the General Data Protection Regulation (GDPR), Tam said it will be the first example of how action will be taken by the European Union (EU).

“With an investigation now launched, how the Europe Data Protection Board participate in the investigation will be watched closely by many around the world, including the regulatory authorities outside the EU that make up the remainder of the 190 impacted countries,” he added.

“Organisations should see this as an insight into the future of how data breaches will be handled under new regulations, and use this as a wake-up call to improve their posture today, to avoid being tomorrow’s headline.”

Under Australia’s mandatory data breach notification regime, government agencies and businesses covered by the Privacy Act must notify individuals affected by a data breach. Singapore is also looking to roll out similar rules under a set of proposed changes to the Personal Data Protection Act.

Read more about cyber security in APAC

  • The personal data of more than 46 million mobile phone users in Malaysia was reportedly leaked online in possibly the biggest data breach in the Southeast Asian country.
  • Australia’s Cyber Security Strategy, aimed at protecting citizens, companies and critical infrastructure, has made significant headway over the past year, but the jury is still out on its long-term impact.
  • A majority of publicly listed companies in Singapore had little or no exposure to cyber threats even as the country is being used as launch pad for cyber attacks.
  • The Australian Broadcasting Corporation is the latest organisation to fall prey to misconfigured Amazon S3 storage buckets, exposing database backups and sensitive data such as login credentials.

Read more on Data breach incident management and recovery

Data Center
Data Management