And the indications are that the company is now looking at reducing any reputational damage that it may have suffered as a result of the intrusion; in other words, it appears to be treating security as a PR affair.
In this, it has been aided on Thursday by the Australian Financial Review, a wonderful publication that barracks for corporates whenever the opportunity presents itself (unless, of course, they happen to be companies like Huawei).
There is talk within this article of the UK's "incredibly stringent laws on breach disclosure": Britain has a 72-hour deadline for disclosure, a fact that PageUp would have been aware of when it extended its business to that country. Stringent? Hardly, when one considers the kind of shenanigans have gone on in that country with regard to data leaks.
PageUp has changed its story a few times since the initial announcement of the breach on 6 June.
The company initially said the breach was due to a malware infection. But a statement on 12 June said: "Advanced methods were used to gain unauthorised access to PageUp’s IT systems in Australia, Singapore and the UK", indicating that the breach may have gone deeper into company systems than originally indicated.
In the AFR article, the claim is made by chief executive and co-founder Karen Cariss that the company still does not know how many records have been affected. That sounds ominous – is Cariss going to know the extent of damage only when personal details from its systems appear for sale on the dark web?
This statement comes despite the company saying it has hired security firm Hivint to assist with incident response co-ordination and security outfit Klein & Co to do the required forensics.
Adding to the problem has been the head of the Australian Cyber Security Centre Alastair MacGibbon who looks to be playing a PR role for PageUp. The AFR puts it this way: "Earlier this week Australia's national cyber security adviser, Alastair MacGibbon, described PageUp as being effectively 'victimised' as a result of having to out itself to Australian customers before it even knew for certain there was a problem."
Now if a company detects an intrusion on 23 May and is unable to ascertain within two weeks whether it has a problem or not, then it should not be doing business online. And arguably, a company that was set up in 1997 and claims to have "2.6 million active customer employee users in over 190 countries", should have some decent well-paid hackers on its staff.
MacGibbon has also made some rather cute statements, saying that there is a difference between data being accessed and exfiltrated. Of course, playing with words will put some people off the track. But some of us are made of harder stuff.
The need for good tech staff is magnified by the fact that PageUp deals with oodles of personal information, and that too from a list of Australian companies that anybody would die to have as clients: the Commonwealth Bank. the Australian Broadcasting Corporation, Telstra, NAB, Coles, Aldi, Medibank, Australia Post, Target, Reserve Bank of Australia, Officeworks, Kmart, Linfox, AMP, Asahi, Sony, Newcrest, the University of Tasmania and Lindt. There could be others that I have missed.
With an operation this big, was there a dearth of funds to spend on decent security? One doubts that.
In this kind of situation, sympathy should not lie with those who have been hacked, but rather with their clients. And the more clients who end their relationship with PageUp, the harder the message will hit home: online business, especially when it involves personally identifiable information, cannot be done on the cheap.