Home Open Sauce PageUp People's ASX plans must be in cold storage

Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

PageUp People's ASX plans must be in cold storage Pixabay

Last year, human resources firm PageUp People was reported to be considering a listing on the Australian Stock Exchange. But given this year's massive data breach and the subsequent fallout, it would probably be a safe bet that the company has put those plans in cold storage.

A recent survey may convince PageUp to push any ASX listing out even further: the CompariTech Web portal, which looked at companies listed on the NYSE that suffered and publicly disclosed breaches of a million records or more in the last three years, found that such breaches had a long-term effect on stock prices.

PageUp announced the breach on 6 June but is yet to provide a comprehensive statement as to how the breach occurred and the extent of damage. Some information was published on 19 June; additional details were published on an undated Web page which was not linked from anywhere on the company's's website.

The HR outfit has no media contact details listed on its website. It has apparently contracted the local branch of the world's biggest PR company, Edelman, to provide advice post-breach but the latter company does not appear to have much of a clue in this regard either: Edelman itself, both on its US and Australian websites, has only a Web form for contact.

After the breach, PageUp hired security firm Hivint to assist it with incident response co-ordination and security outfit Klein & Co to do the forensics needed. Yet three months and three weeks from the date the breach came to light — 23 May was given as the date when the infiltration was noticed — no details have been made public.

PageUp counts among its clients the Commonwealth Bank. the Australian Broadcasting Corporation, Telstra, NAB, Coles, Aldi, Medibank, Australia Post, Target, Reserve Bank of Australia, Officeworks, Kmart, Linfox, AMP, Asahi, Sony, Newcrest, the University of Tasmania and Lindt.

The information provided to clients is vague at best; the Federal Treasury put it this way: "PageUp cannot confirm exactly what information has been accessed."

And then, "PageUp has informed us that the type of personal information that may have been accessed includes:

  • "Contact details including name, email address, physical address, and telephone numbers;
  • "Biographical details including gender, date of birth, nationality, and whether the applicant was a local resident at the time of the application;
  • "Employment details at the time of the application, including employment status, company and title; and
  • "Referee details.

"PageUp has advised it is confident that other personal information including resumes, financial information, Australian tax file numbers, employee performance reports and employment contracts were not affected in this incident. Password data for applicants was protected using industry best practice techniques."

So how can the company state it is unable to confirm what has been exfiltrated and then go into detail about what has, and has not, been stolen?

There are many other organisations, much smaller in size and with not even 1% of the resources of PageUp — the company turned over $31 million in 2015-16 — who have suffered breaches and provided detailed information to the public at large in a fraction of the time that PageUp has maintained a stony silence.

Take the case of the Gentoo Linux project: the GitHub mirror of the project was broken into in June. Just a week later, the project, a community effort, published a full and detailed report of how the break-in had happened and what the project admins had done to deal with the situation.

There was no effort at security through obscurity; there was, instead, full disclosure. No big security firms were hired by the Gentoo admins; they were competent enough to investigate themselves and issue a technically comprehensible report for all to see. But then users are Gentoo's lifeblood; without them, there would be no project.

British Airways is the latest big name to suffer a breach; the company's online booking site was compromised between 21 August and 5 September. The breach was reported in the media on 7 September. Of course, there are much stricter requirements for breach notification in the UK, with companies being given 72 hours to fess up. There are additional rules protecting customers under the European Union's General Data Protection Regulation, which the country will have to comply with until it makes a formal exit from the EU in March next year.

BA has plenty of media contacts listed and responded to iTWire's media queries within a day or two.

A third example where disclosure was observed scrupulously was the Debian GNU/Linux project. In 2007, the servers were broken into and developer Wichert Akkerman posted a full report to keep all users informed. Debian is a much bigger community effort than Gentoo and has more than a thousand developers.

A fourth example was when the Debian project released a version of OpenSSL with a serious vulnerability unwittingly created by one of its own developers, it made no bones about it and made a full public confession.

And a fifth example of full disclosure was the breach of Czech cyber security company Avast which resulted in malware being implanted in CCleaner, a popular application that allows Windows users to perform routine maintenance on their systems and has been downloaded more than two billion times. Avast provided report after report as facts came to light

The Australian data breach law, which came into effect on 22 February, appears to have no requirements for disclosure in order that the public will be fully informed. But then, as cyber law expert Helaine Leggat told iTWire, "from a trust and company risk/reputation point of view, one would think that PageUp People would want to communicate more frequently. (I recommend Crisis Communications Policies, among other things)".

It remains to be seen whether PageUp People will come clean about the breach and close the chapter on what has been a PR disaster. But I wouldn't advise anyone to hold their breath on that score.

47 REASONS TO ATTEND YOW! 2018

With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

YOW! 2018 is a great place to network with the best and brightest software developers in Australia. You’ll be amazed by the great ideas (and perhaps great talent) you’ll take back to the office!

Register now for YOW! Conference

· Sydney 29-30 November
· Brisbane 3-4 December
· Melbourne 6-7 December

Register now for YOW! Workshops

· Sydney 27-28 November
· Melbourne 4-5 December

REGISTER NOW!

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

 

Popular News

 

Telecommunications

 

Sponsored News

 

 

 

 

Connect