With recent changes to Australian Law and European Law it is required that after a data breach of personal information that is likely to result in serious harm, organisations have to inform those affected by the data breach or face fines. The PageUp data breach was detected on the 23rd of May and under EU Law (EU GDPR) the 72hours to notify people has passed. Under Australian Law (Privacy Act Amendment also known as Mandatory Data Breach Notification Law) have 30days to complete their assessment.
Now PageUp appears to have directly notify via email those that have been affected. However looking at Australian Law, this is a data breach within PageUp systems but if the data is not within Australia the responsibility is of the companies that selected PageUp. The current information is that this breach was data in the UK through malware. So under that information under the Australian Privacy Act then each company is deemed to be holding the data, and hence potentially they need to notify those affected and the OAIC.
26WC Deemed holding of information, of the Privacy Act says that "an APP entity has disclosed personal information about one or more individuals to an overseas recipient;" is deemed to be holding the information.
Many companies are affected by this PageUp breach and just to highlight how wide spread this is I have added a list of companies that appear to be using PageUp software at the end.
The time window for companies to perform this, which is why many companies may be in breach of law. That said impacted companies should still consider taking action now such as:
- Get legal advise on the situation (I’m not a lawyer)
- Read OAIC Data breach and preparation response guide
- Notify the Office of the Australian Information Commissioner (OAIC) of an eligible data breach.
- Notify impacted people directly and satisfy breach notification
- Contact the Commissioner for an extension or exception
So what could of been done to avoid, detect or protect this issue. As PageUp is an external vendor, then one question is how to verify the security of an external vendor. This is a complicated question that involves independent security assessments and testing, but as a really simple test you can apply to any organisation to provide an indication of their security just ask these two questions:
- Do you use application whitelisting?
- Do you have independent regular ethical hacking (aka penetration testing) ?
From a technical perspective under the current information that malware was used then Application Whitelisting is the number one protection recommended by the NSA and ASD. One product that provides Application Whitelisting is Shellprotect.
With a little bit of looking here is a list of some of the companies that are using PageUp that could be potentially impacted by the breach.
- Australian Department of Defence
- Wesfarmers: Coles, Target, Kmart, Officeworks
- Commonwealth Bank
- Macquarie Group
- Reserve Bank of Australia
- Australia Post
- Australian Red Cross
- University of Tasmania
- La Trobe University
- Attorney Generals Department
- Allens Linklaters
- University of Adelaide
- The Star Sydney
- Charles Sturt University
- Harvey Norman
- Stan Well
- Victoria University
- Momentum Energy
- Melbourne Water
- Work cover QLD
- National Archives of Australia
- Flinders University
- Monash University
- Tasmanian Government
- Australian Office of Financial Management
- Queensland Rail
- South Australia: Department of Health
- Transdev Melbourne
- Australian Catholic University
- SA Water
- SIngapore Goverment Careers
- University of Tasmania
- University of Melbourne
- SA Power Networks