Sydney law firm Centennial Lawyers says it is investigating the potential for a class action against PageUp in the wake of a possible data breach that has swept up some of Australia’s biggest employers.
PageUp has revealed that in late May it had detected “unusual activity on its IT infrastructure”.
“On May 28, 2018 our investigations revealed that we have some indicators that client data may have been compromised, a forensic investigation with assistance from an independent 3rd party is currently ongoing,” a statement released by CEO Karen Cariss said.
Coles, NAB, Telstra, Linfox, Tatts Group, Michael Hill, Lindt, the Reserve Bank of Australia, Telstra, Australia Post and Wesfarmers are among the high-profile brands affected by a possible breach.
PageUp provides a cloud-based platform for recruitment as well as other HR functions such as on-boarding and performance management.
PageUp said that the data that may be affected by the breach includes information such as names and contact details as well as usernames and passwords (which it said were hashed and salted).
“As the system is client configurable, we will be working with our clients to understand how they are using the system as part of our data subject impact assessment,” a statement from the company said.
Documents such as signed employment contracts and resumes are kept on separate infrastructure that the company does not believe was accessed.
“While there have been major successful class actions in the US and Canada against Yahoo and Ashley Maddison for mass data breaches, similar class action are only now starting to be issued in Australia,” said the principal solicitor of Centennial Lawyers, Associate Professor George Newhouse.
“We are proud to be at the leading edge of this area of law to reaffirm the importance of protecting people’s data which contains personal, sensitive or confidential information.”
The firm last year filed a class action against NSW Ambulance Service over alleged privacy breaches.
A number of PageUp customers have confirmed that they have suspended use of the platform.
Telstra said that the information affected in the breach could include a job applicant’s name, phone number, application history and email address.
In addition, information relating to successful applicants that may be affected includes date of birth, employment offer details, employee number (in the cases of current or former Telstra employees), pre-employment check outcomes, and referee details.
The telco said in a statement that it had put on hold all current recruitment activity that has not been progressed past a written offer.
The Office of the Australian Information Commissioner earlier this week confirmed it was in contact with PageUp and the Australian Cyber Security Centre about the incident.
In a statement the ACSC said it is “working with online recruitment service, PageUp People, to determine the full extent of the incident impacting its computer systems.”
“At this stage, investigations are continuing into what data, if any, may have been compromised,” the statement said.
“PageUp has indicated the incident is contained and the threat has been removed.”
Centennial Lawyers said that employees or job applicants potentially affected by the incident could contact NSWAprivacyclassaction@justice.org.au.