Leading HR software company PageUp, which has 2 million active users across 190 countries, has been hit by malware.
PageUp’s CEO and co-founder, Karen Cariss, reported that on 23 May the company “detected unusual activity on its IT infrastructure and immediately launched a forensic investigation. On May 28, 2018 our investigations revealed that we have some indicators that client data may have been compromised, a forensic investigation with assistance from an independent 3rd party is currently ongoing”.
Cariss recommends that “out of an abundance of caution”, users should change their password.
How did the data breach occur?
PageUp confirmed that the source of the incident was malware: “The malware has been eradicated from our systems and we have confirmed that our anti-malware signatures can now detect the malware. We see no further signs of malicious or unauthorised activity and are confident in this assessment”.
Although the breach might include personal information such as job applicants’ names and contact details, passwords are not thought to be compromised.
Implications of the breach
The attack may look small, but the damage to consumer trust is immeasurable.
PageUp’s clients include corporations such as Target, Telstra, Reserve Bank of Australia and the Australian government’s Attorney-General’s Department, so the breach has attracted media and regulatory authorities’ attention.
The swift statement issued by the CEO is a step in the right direction, as sharing facts can help regain trust with customers.
Preventing malware attacks
Can such disruption be avoided? Wouldn’t the malware be detected by spam engines and antivirus software? Most antivirus software does a great job of blocking active payloads.
The reason is that malware, unlike a virus, is a non-active payload and not easily detected. What triggers the malware to attack is the user who clicks a link or opens an attachment they shouldn’t have.
IT Governance has developed the Phishing and Ransomware – Human patch e-learning course to educate staff on how to avoid falling victim to phishing attacks and ransomware.
This ten-minute course will help to significantly reduce the risk of your organisation falling victim to an attack.