Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Thursday, 22 November 2018 11:11

PageUp claims no data taken in breach. Please pull the other one

PageUp claims no data taken in breach. Please pull the other one Pixabay

If human resources outfit PageUp People's chief executive and co-founder Karen Cariss is to be believed, then whoever it was that breached the company's networks and encountered a very tasty mass of data, left it completely untouched. If only all hackers were as benevolent!

That's the message Cariss has attempted to spread in an email sent to customers, with a strong note of self-pity dominating her missive.

As an aside, the headline she used, "Learnings from recent security incident and roundtables" reminded one of the Sacha Baron Cohen film "Borat: Cultural Learnings Of America For Make Benefit Glorious Nation Of Kazakhstan".

The breach was announced on 6 June, with the company indicating that it had been first noticed on 23 May.

Among PageUp's customers are the Commonwealth Bank. the Australian Broadcasting Corporation, Telstra, NAB, Coles, Aldi, Medibank, Australia Post, Target, Reserve Bank of Australia, Officeworks, Kmart, Linfox, AMP, Asahi, Sony, Newcrest, the University of Tasmania and Lindt.

With a list like that, you'd be inclined to think that whoever made their way into the network would have left with something that made the breach worth their while. But it seems these hackers were on L plates. Or so PageUp would have us believe.

The one line included in the email about the investigation conducted by Klein & Co is telling: "It concluded that while an attacker was successful in installing tools that could exfiltrate data, no specific evidence was found that data was exfiltrated." (emphasis mine).

So was there any general evidence that data was exfiltrated? (Emphasis mine again). Cariss hasn't said a word more, but spent a good deal of the rest of a fairly long email wallowing in self-pity, outlining the strain that the company's staff were put under but having little regard to being open about the incident.

"The incident placed a significant strain on our internal team. Some team members took the frustrations of our customers personally and all were so committed to responding to the needs of our customers that they worked around the clock, causing people to be incredibly tired," Cariss wrote.

In other words, poor us, we suffered so much because of this breach. Why a company which turned over $31 million in 2015-16 could not be bothered putting a proper security strategy in place was never mentioned.

PageUp's communication with the media was pathetic at best. But even for this, Cariss blamed the PR company or companies that were advising her. One of them we know – the biggest global PR firm, Edelman.

But its skills in media management were laid bare when the head of its Australian operations, Edelman Australia managing director Scott Thomson, tried to imply that this writer was aiding the authors of a book on breach management by writing about the PageUp incident. That's the best he could do, which begs the question: why was Edelman hired?

Cariss says in her email, "Openness is part of our DNA..." which sounds mighty peculiar coming from a company that even today has yet to provide a comprehensive public statement as to how the breach occurred and the extent of damage. Some information was published on 19 June; additional details were published on an undated Web page which was not linked from anywhere on the company's's website.

And to cap it all, the company has no media contact details listed on its website.

Apart from the company's incompetence, the one thing that the breach proved is that the Australian data breach law has no teeth. It is a figleaf and the public should not be deceived into believing that they will be in any protected.

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments