A recent survey may convince PageUp to push any ASX listing out even further: the CompariTech Web portal, which looked at companies listed on the NYSE that suffered and publicly disclosed breaches of a million records or more in the last three years, found that such breaches had a long-term effect on stock prices.
PageUp announced the breach on 6 June but is yet to provide a comprehensive statement as to how the breach occurred and the extent of damage. Some information was published on 19 June; additional details were published on an undated Web page which was not linked from anywhere on the company's website.
The HR outfit has no media contact details listed on its website. It has apparently contracted the local branch of the world's biggest PR company, Edelman, to provide advice post-breach but the latter company does not appear to have much of a clue in this regard either: Edelman itself, both on its US and Australian websites, has only a Web form for contact.
|
|
PageUp counts among its clients the Commonwealth Bank. the Australian Broadcasting Corporation, Telstra, NAB, Coles, Aldi, Medibank, Australia Post, Target, Reserve Bank of Australia, Officeworks, Kmart, Linfox, AMP, Asahi, Sony, Newcrest, the University of Tasmania and Lindt.
The information provided to clients is vague at best; the Federal Treasury put it this way: "PageUp cannot confirm exactly what information has been accessed."
And then, "PageUp has informed us that the type of personal information that may have been accessed includes:
- "Contact details including name, email address, physical address, and telephone numbers;
- "Biographical details including gender, date of birth, nationality, and whether the applicant was a local resident at the time of the application;
- "Employment details at the time of the application, including employment status, company and title; and
- "Referee details.
"PageUp has advised it is confident that other personal information including resumes, financial information, Australian tax file numbers, employee performance reports and employment contracts were not affected in this incident. Password data for applicants was protected using industry best practice techniques."
So how can the company state it is unable to confirm what has been exfiltrated and then go into detail about what has, and has not, been stolen?
There are many other organisations, much smaller in size and with not even 1% of the resources of PageUp — the company turned over $31 million in 2015-16 — who have suffered breaches and provided detailed information to the public at large in a fraction of the time that PageUp has maintained a stony silence.
Take the case of the Gentoo Linux project: the GitHub mirror of the project was broken into in June. Just a week later, the project, a community effort, published a full and detailed report of how the break-in had happened and what the project admins had done to deal with the situation.
There was no effort at security through obscurity; there was, instead, full disclosure. No big security firms were hired by the Gentoo admins; they were competent enough to investigate themselves and issue a technically comprehensible report for all to see. But then users are Gentoo's lifeblood; without them, there would be no project.
British Airways is the latest big name to suffer a breach; the company's online booking site was compromised between 21 August and 5 September. The breach was reported in the media on 7 September. Of course, there are much stricter requirements for breach notification in the UK, with companies being given 72 hours to fess up. There are additional rules protecting customers under the European Union's General Data Protection Regulation, which the country will have to comply with until it makes a formal exit from the EU in March next year.
BA has plenty of media contacts listed and responded to iTWire's media queries within a day or two.
A third example where disclosure was observed scrupulously was the Debian GNU/Linux project. In 2007, the servers were broken into and developer Wichert Akkerman posted a full report to keep all users informed. Debian is a much bigger community effort than Gentoo and has more than a thousand developers.
A fourth example was when the Debian project released a version of OpenSSL with a serious vulnerability unwittingly created by one of its own developers, it made no bones about it and made a full public confession.
And a fifth example of full disclosure was the breach of Czech cyber security company Avast which resulted in malware being implanted in CCleaner, a popular application that allows Windows users to perform routine maintenance on their systems and has been downloaded more than two billion times. Avast provided report after report as facts came to light
The Australian data breach law, which came into effect on 22 February, appears to have no requirements for disclosure in order that the public will be fully informed. But then, as cyber law expert Helaine Leggat told iTWire, "from a trust and company risk/reputation point of view, one would think that PageUp People would want to communicate more frequently. (I recommend Crisis Communications Policies, among other things)".
It remains to be seen whether PageUp People will come clean about the breach and close the chapter on what has been a PR disaster. But I wouldn't advise anyone to hold their breath on that score.
