Update - Unauthorised Access of Third Party Vendor IT Systems
Aurizon is among a number of large Australian organisations who has been notified by PageUp (its cloud-based software vendor for recruitment) that there has been unauthorised activity on their IT systems.
Initially PageUp provided advice that there was no evidence that Aurizon’s job applicants’ information had been compromised. A statement was published on Aurizon’s website on 7 June 2018 to advise of this information.
Aurizon has since received an update from PageUp to advise that while investigations are continuing, ‘on the balance of probabilities’, PageUp believes certain personal data has been accessed.
What data may have been accessed?
With regard to applicants, based on current information, Page Up believes that compromised data may include contact details including name, email address, physical address and telephone number. In addition, biographical details including gender, date of birth, and maiden name (if applicable), nationality, and whether the applicant was a local resident at the time of the application may have been affected.
If the application was submitted for a reference check, then the following additional details may have been provided: technical skills, special skills, team size, length of tenure with company, reason for leaving that position (if applicable), and the length of relationship between the applicant and reference.
For references who were included with an applicant’s information, PageUp has advised that contact information (including name, email address and telephone number) and employment information at the time the reference was provided (including company, title, and the length of the relationship with the applicant) are affected.
What data wasn’t accessed?
PageUp has advised that it is confident that no employment contracts, applicant resumes, Australian tax file numbers, credit card information or bank account information were affected. Except for applicant resumes, as at 14 June 2018, Aurizon does not currently collect or store this information in PageUp.
The incident was contained at PageUp and no Aurizon systems were affected in this incident.
What should I do?
If you have used Aurizon’s careers portal since 2009, Aurizon recommends you check there has been no unusual activity concerning your personal information. The Office of the Australian Information Commissioner provides guidance on how to protect yourself from identity fraud.
For general information about how you can protect your data privacy, visit the Australian Competition and Consumer Commission’s Scamwatch website.
To access your information in the PageUp system, click on the Careers/Overview page. From here you can click on existing applicant login using the email address you used at the time of your application. Once you’ve logged in, you can view the information you gave Aurizon as well as remove your account should you choose to do so.
If you’ve forgotten your password, you can request a new one to be sent to you by clicking on the 'Don’t know your password' link.
What is Aurizon doing?
Aurizon is taking the matter seriously and has taken the recommended actions to minimise any further risks. Aurizon is continuing to engage with PageUp, the Australian Government and relevant authorities regarding this incident.
Aurizon has advised its employees of this incident and is in the process of trying to contact all previous applicants who have used the system.
Aurizon is continuing to use PageUp for online recruitment following advice from PageUp that cybersecurity experts confirmed they had not identified any further threats on PageUp systems and that PageUp is safe to use. Further security measures have been implemented to help guard against any similar incident in the future.
Aurizon takes personal information and privacy very seriously and apologises for any inconvenience this incident with the PageUp system may have caused. If you have used the PageUp system in our recruitment process, Aurizon encourages you to take the recommended approach outlined above to further protect your personal information.
More information about this incident is also available on PageUp’s website.
Any further updates from Aurizon will be posted in the News section of Aurizon’s website.