Although investigations are continuing, there is as yet no evidence of data theft in connection with the PageUp data breach that took place in May.
PageUp has confirmed that customer data was accessed during the breach. However, a joint statement released by the Australian Cyber Security Centre (ACSC), the Office of the Australian Information Commission (OAIC) and IDCARE, the Australian and New Zealand national identity support service says that it may be the case that no information was exfiltrated.
The Australian SaaS provider notified the OAIC and ACSC after it discovered the breach.
“Whilst it is important to acknowledge that breached personal information impacts people in different ways, based on investigations undertaken to date by PageUp, at this point IDCARE assesses that the direct risk of identity theft is unlikely,” IDCARE’s managing director, Dave Lacey said.
“Identity thieves typically require other forms of personal information to successfully manipulate this type of data, such as driver licence, passport, and account details, in order to obtain credit in a person’s name or related acts of impersonation.”
“IDCARE assesses that there are other risks that are likely to be more relevant to impacted individuals, including the possibility of phishing emails, telephone scam calls, and specific risks to individuals concerned about their contact information, physical address, and employment details (and applications) becoming known to third parties,” Lacey added.
“PageUp has committed to advising impacted organisations and individuals if there are any new findings to arise as they complete their investigations,” ACSC head and government national cyber security advisor Alastair MacGibbon said in a statement.
“PageUp has demonstrated a commendable level of transparency in how they’ve communicated about, and responded to, this incident: They came forward quickly and engaged openly with affected organisations.”
PageUp says that the data accessed may have included the personal details of employees of PageUp customers, details of job applications lodged with PageUp customers, and employment reference information.
The company has emphasised that sensitive financial data, such as Tax File Numbers, is not believed to have been accessed.