Online HR software provider data comprised – Australia’s largest companies affected.
On 23 May 2018, PageUp, an online HR software provider servicing a number of Australian companies and government agencies, detected unusual activity on its IT infrastructure. Following a forensic investigation, it was found that an unauthorised person gained access to PageUp's systems and potentially some of the personal information stored on PageUp's systems.
Under the new Notifiable Data Breaches legislation, organisations and government agencies affected by the incident need to investigate how they are impacted and if appropriate, notify affected individuals and privacy regulators of the incident. This may include notifying the Office of the Australian Information Commissioner, or state or territory privacy regulators. There may also be commercial considerations which impact on the decision to notify.
Whilst it appears that only PageUp's systems have been subject to unauthorised access (and not the systems of affected organisations and government agencies), it highlights the importance that you cannot remove your responsibilities to investigate and notify eligible data breaches, even when they occur on third parties' systems.
What to do if you are impacted
If you think your organisation or government agency may be impacted by this incident, we recommend you engage with your cyber insurers (if you have cyber insurance) or legal adviser immediately to avail yourself of any assistance they may provide and obtain their input and consent on your approach to responding to this incident. This includes any decision to re-connect to PageUp's systems (if disconnected) and preserving your position with PageUp.
Should you require legal assistance, we can recommend a number of specialist law firms who will be able to advise you on how to respond to the incident.
How can Aon help?
If you anticipate that your organisation or government agency has suffered - or will suffer - a loss as a result of the PageUp incident, we can help you manage and quantify the scope of your losses. Our specialised risk accounting practice is devoted to providing expert insurance-related accounting and analytical services to help you navigate the post-incident and claims process. If your organisation purchases cyber insurance, legal costs, forensic accounting expenses and claim preparation costs are in many cases covered by cyber insurance (depending on the type of policy purchased).
If you require assistance, please speak to your regular Aon contact, or one of our cyber experts.