Cloud services hacked

Today I received an email from 2 recruiters, pretty sure more to come as they use same Cloud Based Services Co PageUP.

Personal details have been compromised, first one just stated that they suspended their dealings with Page UP.
Second one said that CV, Cover letter are stored else where but still my full name, birthday, mobile phone number have been compromised.

Livid !! Not sure what I can do…

5 Likes

It’s not like recruiters are the brains trust of the planet - no surprises but I agree, disappointing - I figure my public resume is all I give them, and it’s ‘public’ …

3 Likes

When you fill out forms you provide your full name, date of birth, address and mobile number. All that even before you upload documents.

So just called telco and put security measures so that no one can move my phone to another provider, if my details have been compromised.

One is a recruiter and the other a major corporation known world wide.

Three interviews this week. Dead to the world and now this … Today was the worst. Through an agency and facts about the job were not disclosed. Came as a shock during the interview. Thankfully it’s a contract and have to wait to hear back.

2 Likes

“PageUp communicated to its customers that “On May 23, 2018, PageUp detected unusual activity on its IT infrastructure and immediately launched a forensic investigation. On May 28, 2018 our investigations revealed that we have some indicators that client data may have been compromised, a forensic investigation with assistance from an independent 3rd party is currently ongoing.”” [sic] part of the email …

they are only telling people now and they’ve known since May 23!

Need to know what my rights are.

My CV is on Linked in as well but not personal details.

Some want my passport and medicare card uploaded and I usually avoid doing some… have done that for security check . Hope that mob weren’t using PageUp services.

2 Likes

You should complain to the Privacy Commissioner for a start. Contact a good solicitor next and look to ways to secure your identity against possible use by others and seek damages.

4 Likes

Trying to secure phone/bank/credit cards.

https://www.oaic.gov.au/individuals/data-breach-guidance/what-to-do-after-a-data-breach-notification?RIID=&utm_source=newsletter&utm_medium=email&utm_content=&utm_campaign=-doncaster-other-280260

‘Although there’s no indication that any Scentre Group applicants have been impacted by this incident, we take cyber security and privacy extremely seriously and, as a precaution, we’re contacting all applicants who’ve submitted resumes through the system since we began using it in October 2017, to advise of the issue.’ [sic] the cloud that they are using was hacked but no indication that their applicants were affected… seriously what?

3 Likes

I recommend you read this ABC article on the problem and follow with any steps you feel are warranted.

The references to the Attorney General’s Dept for the Certificate are useless. The documents about identity theft can be read and downloaded from the following links (this keeps changing so will try to keep updating the links) and the final link is to the actual Certificate pdf download:

5 Likes

I used PageUp from the other side of the fence a few years ago…for recruitment and managing candidate applications. It also appears that other data collected by PageUp may have also been compromised. This includes Bank Account Details, Tax File Numbers, superannuation details, home addresses and drivers licence numbers. Why PageUP needs this information is anyone’s guess and it may be data harvesting by the company.

Possibly information like names, addresses and mobile numbers by themselves are possibly not much of an issue (most of these are publicly available), but when other information like that listed above is also liked to these, it makes it easier for a person to create a false identity.

As a general rule, I never give anything they don’t need. If they say need a driver licence number or other details for security checks, in the past I have made direct contact with them to provide the information verbally over the phone…and indicating that I don’t want the information stored electronically. This could reduce the chances of the information being lost/hacked online.

I also check regularly and reconcile bank account transactions with those I have kept records. I also monitor all other usage such as phones etc. I also change passwords to important online services regularly (banks, email, phone, utilities etc)…one must have a password manager to do this as it would be impossible to change passwords regularly and remember them all.

We also have a friend who works in online security and something he never does is use his real birthday date when registering for an online service…unless it is required for for legal/legislative reasons (e.g. application for a bank account/credit card, passport etc). He instead uses a ‘phoney’ birthday date which he uses on any websites that require mandatory birthday date completion to register. He also refuses to give out any other personal information for website registration purposes (e.g. licence number, passport number etc) unless it is specifically required (e.g. international booking flights).

He also does not join any of the social media platforms (such as Facebook, Instagram, Linkedin) as his view is that it is highly likely they any personal information on these platforms will be compromised at some time either through hacking or internal employee data breaches.

He also says that no data is safe and has potential to be breached. Even the strongest security systems can be breached as the weakest link is humans managing the system.

He also takes the view that don’t put anything online which one would not feel comfortable in seeing on the front page of the paper. I have also adopted his principles.

Unfortunately many think of clouds (storing data on remote servers) as being as safe as storing on ones own hard drive. It may be for data recovery purposes, but not potentially for security.

7 Likes

I don’t hand out my details either but if you progress further in the job search you have to give them your TFN, passport, drivers license etc etc and they store it all with this mob as well if they use them.

Called them and they said ‘don’t believe anyone but us’ … yeah right!!

in the mean time calling all and putting security on everything .

Interestingly most of the companies on that list didn’t email me. Wonder what they are waiting for.

Even with cloud they’d have numerous servers, not just one. So they would know who to contact.

Must be a huge breach as they have been investigating since 23rd May and still no answers.

They did suggest I email their investigation team and ask questions.

4 Likes

thank you!

I have read the ABC site. Saddened that so many companies used this firm and I used it as well.

3 Likes

After thinking further, requesting a date of birth as a mandatory item to enable the lodgement of job applications is also concerning.

If an age requirement is required (e.g. working in a licensed venue or for gaining a particular licence when the minimum age is 17 - they may require one to demonstrate they meet the age requirement for the particular workplace environment…but any non-age specific (not required as result of legislation) positions, the collecting of such data (even if it is to set up an online account with online recruitment software) could be seen a potentially discriminatory…as such information could easily be accessible by a prospective employer and potentially used to make decisions…

Having been a hiring manager in the past in a large organisation, one thing the HR department say is never ask for age, sex, religion etc otherwise it could open up a can of worms should someone be unsuccessful in the role and challenge the decision made in relation to the successful applicant.

6 Likes

My comments are slightly off the issue specifically about “Pageup”, but I believe that it follows the problem in the headline of “Cloud services hacked”:
After the misuse of personal data by the likes of Facebook and the “accidental” loss of people’s personal details by banks, ‘Pageup’, etc I am wondering about the value ‘Cloud storage’ generally?
I fear we have had a far too naive and simplistic faith in organisations to protect the storage of large amounts of our information. We have blindly stored masses of information about ourselves because it is ‘free’ and easy to do. We also have a tendency to use these cloud companies to read and analyse extensive amounts of data. I have Solar PV cells which have all the power generation details stored and analysed by a company? I cannot access the raw data; I cannot change the access to that data for someone else to analyse; I cannot even change how I access that data - I cannot change my user name or password, my user name being my email address (what happens if I change email address?)
The information these organisations are collecting and storing is extensive and permanent and we have no control how that will be used in the future. Or even whether will even be able to access it!

So, I am wondering whether we should start avoiding the ‘free’ Cloud storage and use far more of our own memory backup systems? I have two of my own backup systems, one being an Apple ‘Time Capsule’ which automatically backs up my computers regularly plus a large memory storage which I move large files to, keeps my computer memory from being used and saves what is being backed up. I did use Apple iCloud for a while but it filled up to quick and it kept downloading photos onto my computer and smart phone so I had no memory left.

I am wondering whether in future (maybe even now) part of the ‘smart’ house there should be an installed memory system as part of the house network (a private hub), which can also be used to do the controlling of ‘smart’ devices and NOT rely on some external operator???

6 Likes

Sorry to hear what has happened to you @ Anna. Please try IDCare ‘help@idcare.org’. They are very helpful.

1 Like

Cloud Storage can be safe at the moment. But to clarify that statement I will add some explanation.

If you use Cloud Storage that relies on someone else to make the data unreadable to non authorised users it is not safe.

If you use cloud storage and do not encrypt your data before sending it and it is encrypted at the storage, it is not safe.

If you do not encrypt your data and it is not encrypted at the storage it is not safe.

If you encrypt your data before sending it and it is again encrypted at the storage it is safe as long as you do not share/divulge/lose control of your personal encryption keys and password/s.

If you encrypt your data before sending and it is not encrypted at the storage it is safe as long as you do not share/divulge/lose control of your personal encryption keys and password/s.

If Quantum Computers become mainstream your data even if encrypted will not be safe.

Encryption in these scenarios means using good encryption tools and having strong/effective passwords.

So if you store any photos, documents, images, scans, etc in the Cloud and you want it to be safe from prying eyes, you need to encrypt it before you let it leave the security of an offline computer. Then transfer the file/s to an online connected computer or put the offline computer into an safe (shut down and restart the computer and clean out temporary files before going online) online state and transfer the data to the Cloud Storage. Do not store your personal encryption keys nor your encrypted file passwords on the online computer.

Data stored at home or on premises is not safe unless it is securely encrypted. A thief or other unauthorised person can steal or obtain the data from storage devices quite easily and if unencrypted they can use the data however they wish.

6 Likes

Valid point and something I did not consider in my earlier post as it I suspect it is rarely done.

8 Likes

Asking Age /Sex etc questions are dangerous for companies but they still ask.

When you supply your birthday dd/mm/yyyy they can work it out.
Most ask if you are F/M or other

Some have asked sexual preference…

Almost all ask if you have a disability. Then some give you a disability to choose from . Cancer is apparently a disability.

Tried looking on Page Up pages today and the websiite was down. So I called them. Receptionist was not aware that the page was down. Advised me to email their investigations team and told me not to believe anyone but them when it comes to information that is coming out.

4 Likes

Thank you Gaby!

Looking for work has just become even more dangerous. I check all companies on ASIC prior to applying.

Came across one where the owner was barred from trading due to fraud… he waited out and then opened his own company.

4 Likes

Another email just landed … this is insane!!

“We are contacting you as you have applied for a job at xxxx via PageUp. The data collected from you via the PageUp portal did NOT include bank account, credit card or Tax file number information. We have not received any indication that your account or data has been compromised. As a precaution we advise you to log in to your account and change your password. If we receive any further information about the breach as it relates to your data, we will be in touch.” [sic]

4 Likes

I received an email yesterday from an entity, saying that they had been using PageUp for recruitment and I should log into my account and change my password… “here’s the link”!

I replied to say that I do not click links in unsolicited emails. I then went to the PageUp website, and sent them an email asking to confirm whether my details were in any databases and could they please tell me where to log into these databases.

Never click on a link in an unsolicited email. While I suspect that this email was in fact legitimate, it is the responsibility of the sender to put their identity beyond reasonable doubt.

There is an old rule in backup: 3, 2, 1. Always have at least three backups, in two different formats, including one offsite. If you do not have an offsite backup, and your home burns down, you lose all of your precious data.

As pointed out by @grahroll, you should use a cloud service that will encrypt your data before sending it. Additionally, there is software (e.g. Genie Timeline, although it has been very unhelpful to me lately) that helps you backup to a friend’s or family member’s home. Don’t use the next-door neighbour, because natural or unnatural disasters can be widespread. If possible, backup to another city.

Correction: if/when quantum computers gain sufficient power, then certain types of encryption will no longer be effective and safe*. These include public key encryption that relies upon the multiplication of two very large prime numbers, and Elliptic Curve Diffie-Hellman encryption (ECDHE), which similarly relies upon complex computations. The reason these encryption methods will fall by the wayside is that division is currently very difficult for a computer - but is probably not so difficult for a quantum computer.

*I think someone calculated that a prime number with a length equivalent to that of all the atoms in the universe would be safe from quantum computer breakage. Unfortunately, that is also unfeasibly long.

Fortunately, there are many types of encryption that are considered to be ‘quantum-computing safe’.

5 Likes

received another email today telling me that they’ve been notified as well and I should do xyz.

You can just log into PageUp and change your password if you wish. For now I don’t see the point as they are still investigating what happened.

Some companies have suspended candidate search till they can use PageUp again. Others are asking candidates to email at a designated email address.

what a mess…

2 Likes