Update on notification by PageUp of Eligible Data Breach – 25 June 2018
Thank you for visiting our careers site.
You may be aware of a recent security incident at PageUp (a third party technology provider which HCF uses to manage its recruitment application and new starter on-boarding processes).
The incident compromised a part of the PageUp system that contains, some of the personal details of our former and current candidates, referees and external recruitment agencies we use. As a result, if you fall within any of these group of individuals, PageUp has advised that some of your information is likely to have been subject to access by an unauthorized person.
PageUp has now confirmed that it notified the Office of the Australian Information Commissioner (OAIC) of the data breach on the basis that it is an eligible data breach.
HCF has therefore prepared this notice to update its applicants and other affected individuals we have dealt with through using its recruitment services.
Description of eligible breach
We have been kept informed of the forensic investigations that PageUp has carried out. PageUp has confirmed that there was unauthorised access to and activity on the PageUp systems which hold personal data relating to clients' recruitment activities in Australia which includes HCF.
Importantly, PageUp has advised that at this stage, there is no evidence of exfiltration (that is, of this data being extracted from its systems and misused), only access.
PageUp’s forensic experts have identified that, depending on whether you are an applicant, a referee or a recruitment agency, the affected data comprises:
- for HCF applicants: contact information (including names, street addresses, email addresses, and telephone numbers), gender, data of birth, nationality, employment information (employment status, company and title, and whether they were the registered contact for communications), authorisation to work in a jurisdiction, salary expectation and currency), identification data (e.g. usernames, passwords), location data, and passwords;
- if you had included referees in your application, their affected data comprises: contact information (including name, email address, physical address, and telephone number) and employment information at the time the reference was provided (including company, title, and the length of the relationship with the applicant) would also have been affected; andApply all recommended software patches from operating system and software providers.
- for our external recruitment agency contacts: your affected data comprise login details, including name, email address, physical address, and telephone number are among those potentially affected. Note that PageUp has advised that given the protections for the username and passwords you use to log in to the HCF, the risk of harm relating to these is low.
Importantly, PageUp has advised that it is confident that the most critical and sensitive data categories including resumes, financial information, Australian tax file numbers and employment contracts, were not accessed and have not been affected by this incident.
What has HCF done in response to the Page Up incident?
HCF has taken the following action to minimise any possible harm:
- Informed our employees, external recruitment agencies and applicants via notices on our website
- Temporarily ceased using PageUp's systems to process job applications
- Contacted the OAIC for updates on this matter
- Contacted PageUp for responses to specific questions about the impact of this incident to HCF
- Sought advice from its professional advisors and internal IT security team
PageUp has advised that the incident has been contained on PageUp systems, and that PageUp is now safe to use again. Its external cybersecurity advisors have confirmed that the malware has now been contained and that there is no evidence of an active threat and it is working with them to implement additional security measures to ensure prevent any further incidents. Based on its updates and assurances in relation to its systems, we intend to reopen Page Up to our employees, external recruitment agencies and applicants on Monday 25 June 2018.
You can read PageUp’s latest communication on their website.
What should I do?
We recommend that you take the following steps to maintain good security:
- Change your passwords on other online services, if you re-use the same affected password and, when you can access PageUp again, change your passwords
- Enable multi-factor authentication and other available security measures provided by your other online services
- Monitor your email and PageUp accounts and remain alert for potential phishing emails and telephone calls from businesses or institutions requesting your personal details.
- Avoid opening attachments from unknown senders via email or social media
- Install anti-virus software on your devices and keep it updated
- Apply all recommended software patches from operating system and software providers.
Where should I go for more information?
If you have any queries or concerns regarding a recruitment application you have submitted to HCF or an application you would like to submit, please do not hesitate to contact our Talent Acquisition team on firstname.lastname@example.org.
If you have any concerns about this incident, you should, in the first instance, contact PageUp at email@example.com and if not satisfied with their response, you can contact the OAIC at www.oaic.gov.au or on 1300 363 992.
If you have a question about how to reset your PageUp password, access your PageUp profile or view your PageUp data, you can call PageUp on (toll free) 1300 893 787 or 03 9068 7721.
If you have any queries regarding this notice, please contact the HCF Privacy Officer as follows:
HCF Privacy Officer
The Hospitals Contribution Fund of Australia Limited
403 George Street
Sydney NSW 2000
Telephone: 02 9290 0462