06 Jun How Paymentsandco could have prevented Pageup data breach
Pageup, a cloud HR Software as a service (SaaS) provider has been hacked with the use of a Malware.
This is particularly of interest to analyse against our strategy in order to prove how could have prevented the breach from occurring as well as demonstrate that this breach is not a cloud issue but rather a configuration of the cloud service issue.
Malware in online services is not common these days and even stranger for a cloud service, so we will proceed to analyse the data that is already in the public domain.
The company’s system was infected with malware, which has subsequently been removed, according to the software vendor.
- This clearly points to access control on the server and the patching level of the servers. One would expect that software as a service would implement the highest level of security. Malware only exists where there are vulnerabilities that are exploited. Questions will be asked of the security around the SaaS and the monitoring levels in place to detect such abuse. this contradicts their ISO27k accreditation – https://www.pageuppeople.com/en-uk/news_item/iso-27001-certification/
PageUp informed customers that details such as name and contact details of users could have been breached as well as usernames and passwords. However, passwords were encrypted, the company said.
Australia Post revealed that the information that may have been breached is extended in the case of successful applicants, and would have included personal information such as bank details, tax file number and superannuation details, diversity information, emergency contact information, conditions of offer and employment and other details.
- Now, here is where i have a real issue, what the hell are “bank details” doing with employee records, this is beyond the obvious, it is to be able to pay the employee response. It is not. The company does not physically pay its employees, it instructs a bank to pay the employee. The need for bank details is therefore pointless and has now made this data breach, a potential financial or economic loss issue, if not a Visa and MasterCard issue
- i am not suggesting it is the same in this case, as the evidence is not there, I used to have clients that would take an employee card detail as a prove of ID and of course they stored that card data with the employee record.
- i am not reducing the impact of identity theft but the bank details could now mean, if card data is involved, a VIsa and mastercard issue. Which begs the question, why keep bank details and employee details together?
- we would have resolved this by converting the employee card details into tokens. Only the bank will know which bank details relates to the employee. When it comes to paying the employees, we give the bank the instruction and they pay the token that relates to the employee.
- In the new GDPR world for European countries, this breach would have cost the Pageup a significant amount of money and it still may if UK clients were involved or if the malware impacted their EU instance
- certificates are nothing more than paper – https://www.pageuppeople.com/en-uk/news_item/iso-27001-certification/
- I am not one to point fingers, however, CISOs and CTO or CIO that don’t go OTT in the protection of their data should be fired, if they are living in the old school mentality, they need to retire and go farming and there is no space for that type of thinking the new world. How can an Exec not see in this day and age that you ought to seperate financial data from personnel data!
one can only hope that other SaaS providers are paying attention and learning from the lesson of others.
One of the recommended approaches is to keep a record of all the locations where card or financial data are kept and to make sure they are compliant with the standards. This should be reviewed at least quarterly.
Never rely on a supplier saying they are compliant, check for yourself and if you are not satisfied, do not use the supplier.