HR software company PageUp says that a forensic expert it engaged to examine its systems has found “no specific evidence” that data was stolen during a security breach earlier this year.
In June, the Australian SaaS provider announced that it had suffered a significant security breach in May.
Company CEO and co-founder Karen Cariss said that PageUp “detected unusual activity on its IT infrastructure” on 23 May.
“On May 28, 2018 our investigations revealed that we have some indicators that client data may have been compromised, a forensic investigation with assistance from an independent 3rd party is currently ongoing,” the CEO said.
PageUp says it has more than 2.6 million users in 190 countries with high-profile customers including Linfox, Tatts Group, Telstra, Michael Hill, Lindt and Australia Post.
After an initial investigation the company said that it believed on the “balance of probabilities” that “data relating to our clients, placement agencies, applicants, references and our employees” was accessed during the breach.
Data that it believed may have been vulnerable included the personal details of employees of PageUp customers, details of job applications lodged with the company’s customers, and employment reference information.
PageUp said though there was no evidence that data had been exfiltrated.
The company’s response to the breach won plaudits from Australian Cyber Security Centre head Alastair MacGibbon. “PageUp has demonstrated a commendable level of transparency in how they’ve communicated about, and responded to, this incident: They came forward quickly and engaged openly with affected organisations,” MacGibbon said shortly after PageUp went public about the breach.
In an update earlier this week the company said that an investigation conducted by Klein & Co. “concluded that while an attacker was successful in installing tools that could exfiltrate data, no specific evidence was found that data was exfiltrated”.
Investigators “collected and analysed all available digital forensic evidence related to the incident.” “We thank you for your patience as we worked through this process,” the company said.
Last month the Office of the Australian Information Commissioner released its latest quarterly update on data breaches reported to it. The OAIC revealed that “malicious or criminal attack” was the source of around 57 percent of the 245 breaches reported to it during the three months to 30 September.