Australia's national identity and cyber support service IDcare has explained that people who had their information accessed through the PageUp data breach are under no risk of identity theft.
"Whilst it is important to acknowledge that breached personal information impacts people in different ways, based on investigations undertaken to date by PageUp, at this point IDcare assesses that the direct risk of identity theft is unlikely," IDcare managing director Dave Lacey said in a statement.
"Identity thieves typically require other forms of personal information to successfully manipulate this type of data, such as driver licence, passport, and account details, in order to obtain credit in a person’s name or related acts of impersonation."
So far, PageUp has revealed that information including employee contact information such as name, email address, physical address, and telephone number; and employment information such as employment status, company and title, and whether they were the registered contact for communications from PageUp, may have been compromised.
Also, job applicants' name, email address, physical address, telephone number, gender, date of birth, and middle name, nationality, and whether the applicant was a local resident at the time of the application may also have been accessed, as well as details of people who were given as references to applicants.
On 5 June, PageUp announced that its clients' data could have been compromised after the company detected "unusual activity" in 23 May.
The company's system was infected with malware, which has subsequently been removed, according to the software vendor.
PageUp has said in a statement on 12 June that, while the investigations are ongoing, the company believes data was accessed.
While the breach is still under ongoing investigation it is so far unlikely that data accessed could be used in identity theft and more likely to be used in online scams.
"IDcare assesses that there are other risks that are likely to be more relevant to impacted individuals, including the possibility of phishing emails, telephone scam calls, and specific risks to individuals concerned about their contact information, physical address, and employment details (and applications) becoming known to third parties," Lacey said.
Head of the Australian Cyber Security Centre (ACSC) and national cyber security adviser Alastair MacGibbon said PageUp has been transparent in communicating the events.
"PageUp has committed to advising impacted organisations and individuals if there are any new findings to arise as they complete their investigations," MacGibbon said. "PageUp has demonstrated a commendable level of transparency in how they’ve communicated about, and responded to, this incident: they came forward quickly and engaged openly with affected organisations."
On 18 June, PageUp revealed that information accessed also included some clear text password data from 2007. While current PageUp password data is protected using the password hashing algorithm, bcrypt, which includes salts, the company said that failed login attempt data from 2007 and before contained a very small amount of password data in clear text.
