BP data breach widens to 60,000 people after malware attack on PageUp job portal | Stuff.co.nz
BP data breach widens to 60,000 people after malware attack on PageUp job portal
Julie Iles
Anyone who has applied to work at a BP retail store since 2008 could have had their personal data compromised.
CAMERON BURNELL/STUFF
Anyone who has applied to work at a BP retail store since 2008 could have had their personal data compromised.
BP says a hack of its online recruitment portal has compromised the data of more job applicants than initially suspected.
BP has emailed about 60,000 people who applied for jobs in its retail stores since 2008 to notify them they could have had their personal information accessed by hackers. The company originally thought about 10,000 applicants' data had been breached.
The company's online recruitment provider, PageUp, an Australian company with 2.6 million users in 190 countries, first detected the breach on May 23.
BP spokeswoman Anna Radich said the company was initially told only those who had applied for jobs at retail establishments in the last 18 months could have had their name, email and home address, birthday, gender, country of residence, employment details and phone number accessed by an "unauthorised third party".
Radich said BP sent out an email at that time warning about 9500 people who had applied for jobs in BP stores their data was compromised.
READ MORE:
* Nib job applicants also at risk of the Page Up data breach
* Job seeker 'horrified' after recruitment website PageUp data breach threatens New Zealand applicants
* Over half of Kiwis more worried about privacy online than two years ago
* Thousands of 'vulnerable' customers' private data shared by Vector app
* Mercury 'extremely sorry' for privacy breach of shareholder information
* NZ privacy commissioner has pulled up Facebook for breach of privacy laws
ADVERTISEMENT
Advertise with Stuff
But an email sent out Wednesday to another 50,000 affected BP applicants, which was obtained by Stuff, came after recent revelations from PageUp's forensic investigations found anyone who had applied for jobs at BP retail establishments since 2008 could have had their data compromised.
Privacy Commissioner John Edwards has been notified of the incident, which affects prospective employees from Kathmandu, Jetstar, Nib insurance, BP, and Downer in the last 10 years.
MONIQUE FORD/STUFF
Privacy Commissioner John Edwards has been notified of the incident, which affects prospective employees from Kathmandu, Jetstar, Nib insurance, BP, and Downer in the last 10 years.
New Zealanders who applied for jobs with Nib health insurance, Downer, Kathmandu, Jetstar and Suncorp New Zealand insurers were warned in mid-June their data was also effected by the security breach. Kathmandu and Jetstar have since cut ties with the company, while Downer disabled its recruitment database and Nib and Suncorp have suspended the service.
PageUp's website said the personal details of references listed on job applications was also affected.
The company said it was "confident" that resumes, financial information, tax file numbers, employee performance reports and employment contracts were not affected by the incident.
In subsequent forensic investigations it was discovered personal data of employees, or former employees of any company that used the online portal as well as job applicants who had used the portal, may have been affected.
PageUp found names, email addresses, physical addresses, employment details and phone numbers could have been accessed in the cyber security breach.
The company's statement on the "data incident" advised that anyone who had used the job portal prior to 2007 could have also had their password compromised, as "a small number of PageUp error logs before 2007 may have contained incorrect passwords in clear text".
The company advised those with long-standing passwords it would be prudent to change them.
BP advised past job applicants that "at this stage there is no evidence the data was extracted, only accessed".
BP told affected users there was no access their data was "extracted only accessed".
123RF
BP told affected users there was no access their data was "extracted only accessed".
The fuel company has recommenced the use of the job portal since independent cybersecurity experts have confirmed it is safe to use.
ADVERTISEMENT
Advertise with Stuff
Office of the Privacy Commissioner spokesman Sam Williams said the Commissioner had been notified by several New Zealand agencies that they may have been affected.
Williams said it was not yet known whose information was accessed and whether the data was extracted or used.
"We are also aware that the Australian government's Cyber Security Centre is working with PageUp to determine the full extent of the breach, and we await their findings with interest."
Across the ditch, major Australian universities, AusPost, Coles, Telstra, Commonwealth Bank, Lindt, Aldi, NAB, Medibank and the Reserve Bank of Australia were all affected, the Sydney Morning Herald reported.
Julie Iles
Anyone who has applied to work at a BP retail store since 2008 could have had their personal data compromised.
CAMERON BURNELL/STUFF
Anyone who has applied to work at a BP retail store since 2008 could have had their personal data compromised.
BP says a hack of its online recruitment portal has compromised the data of more job applicants than initially suspected.
BP has emailed about 60,000 people who applied for jobs in its retail stores since 2008 to notify them they could have had their personal information accessed by hackers. The company originally thought about 10,000 applicants' data had been breached.
The company's online recruitment provider, PageUp, an Australian company with 2.6 million users in 190 countries, first detected the breach on May 23.
BP spokeswoman Anna Radich said the company was initially told only those who had applied for jobs at retail establishments in the last 18 months could have had their name, email and home address, birthday, gender, country of residence, employment details and phone number accessed by an "unauthorised third party".
Radich said BP sent out an email at that time warning about 9500 people who had applied for jobs in BP stores their data was compromised.
READ MORE:
* Nib job applicants also at risk of the Page Up data breach
* Job seeker 'horrified' after recruitment website PageUp data breach threatens New Zealand applicants
* Over half of Kiwis more worried about privacy online than two years ago
* Thousands of 'vulnerable' customers' private data shared by Vector app
* Mercury 'extremely sorry' for privacy breach of shareholder information
* NZ privacy commissioner has pulled up Facebook for breach of privacy laws
ADVERTISEMENT
Advertise with Stuff
But an email sent out Wednesday to another 50,000 affected BP applicants, which was obtained by Stuff, came after recent revelations from PageUp's forensic investigations found anyone who had applied for jobs at BP retail establishments since 2008 could have had their data compromised.
Privacy Commissioner John Edwards has been notified of the incident, which affects prospective employees from Kathmandu, Jetstar, Nib insurance, BP, and Downer in the last 10 years.
MONIQUE FORD/STUFF
Privacy Commissioner John Edwards has been notified of the incident, which affects prospective employees from Kathmandu, Jetstar, Nib insurance, BP, and Downer in the last 10 years.
New Zealanders who applied for jobs with Nib health insurance, Downer, Kathmandu, Jetstar and Suncorp New Zealand insurers were warned in mid-June their data was also effected by the security breach. Kathmandu and Jetstar have since cut ties with the company, while Downer disabled its recruitment database and Nib and Suncorp have suspended the service.
PageUp's website said the personal details of references listed on job applications was also affected.
The company said it was "confident" that resumes, financial information, tax file numbers, employee performance reports and employment contracts were not affected by the incident.
In subsequent forensic investigations it was discovered personal data of employees, or former employees of any company that used the online portal as well as job applicants who had used the portal, may have been affected.
PageUp found names, email addresses, physical addresses, employment details and phone numbers could have been accessed in the cyber security breach.
The company's statement on the "data incident" advised that anyone who had used the job portal prior to 2007 could have also had their password compromised, as "a small number of PageUp error logs before 2007 may have contained incorrect passwords in clear text".
The company advised those with long-standing passwords it would be prudent to change them.
BP advised past job applicants that "at this stage there is no evidence the data was extracted, only accessed".
BP told affected users there was no access their data was "extracted only accessed".
123RF
BP told affected users there was no access their data was "extracted only accessed".
The fuel company has recommenced the use of the job portal since independent cybersecurity experts have confirmed it is safe to use.
ADVERTISEMENT
Advertise with Stuff
Office of the Privacy Commissioner spokesman Sam Williams said the Commissioner had been notified by several New Zealand agencies that they may have been affected.
Williams said it was not yet known whose information was accessed and whether the data was extracted or used.
"We are also aware that the Australian government's Cyber Security Centre is working with PageUp to determine the full extent of the breach, and we await their findings with interest."
Across the ditch, major Australian universities, AusPost, Coles, Telstra, Commonwealth Bank, Lindt, Aldi, NAB, Medibank and the Reserve Bank of Australia were all affected, the Sydney Morning Herald reported.
