PageUp may face class action over data breach
Privacy & Cybersecurity June 8, 2018 11:27 pm By Cat Fredenburgh | Melbourne

HR software company PageUp may be the first company to face a data breach class action in Australia following a new mandatory data breach notification scheme that should make it easier for law firms to recruit class members.

Centennial Lawyers has said it’s mulling a possible class action against PageUp after the company revealed the potential breach of client data.

“On May 23, 2018, PageUp detected unusual activity on its IT infrastructure and immediately launched a forensic investigation. On May 28, 2018 our investigations revealed that we have some indicators that client data may have been compromised, a forensic investigation with assistance from an independent 3rd party is currently ongoing,” PageUp said.

The provider of HR cloud services said it had taken steps to secure its infrastructure and that there was no immediate threat. Possible information affected by the breach includes name and contact details, as well as usernames and passwords, which are encrypted, PageUp said.

Despite the company’s assurances, many big name companies have reportedly pulled their recruitment sites from the PageUp platform, including Coles, Telstra, Australia Post, Medibank, NAB, Macquarie Group, Target and Commonwealth Bank, among others.

Under the Notifiable Data Breaches Scheme that took effect in February, organisations are required to promptly notify the Office of the Australian Information Commissioner and affected individuals in the event of a data breach that could result in serious harm, or face fines of up to $2.1 million.

The mandatory notification requirement means individuals whose data has been subject to a breach are more likely to learn about it, making them easier to recruit for class actions.

Centennial Lawyers brought a class action in November on behalf of all New South Wales ambulance employees and contractors whose health and personal information were compromised in a 2013 breach. To date, there have been no major data breach class actions in Australia.

In comparison, many companies have faced data breach class actions in the US, including Equifax and Target, which last May agreed to pay US$18.5 million to settle lawsuits over a massive 2013 breach.

The OAIC in April confirmed a news report that it received a notice of a health data breach every other day after its mandatory data breach scheme took effect.

The OAIC said that between February 22 – the date the mandatory notification rules took effect – and March 31, it received 63 notifications, 15 of which concerned health service providers. A total of 119 individuals were affected, OAIC said.

It did not release the names of the companies that had been targeted by the breach.

Commonwealth Bank of Australia in May confirmed a breach of data affecting nearly 20 million accounts, but said there was no evidence that customers’ details were stolen.

The breach was not cyber-related, the CBA said, and none of the bank’s systems were compromised. A forensic investigation by KPMG concluded that the two magnetic tapes containing the historical records of 19.8 million customers were most likely disposed of, the bank said.

The following two tabs change content below.

Cat Fredenburgh

Cat Fredenburgh has been covering legal news for 12 years. She was previously Editor-in-Chief at US legal news publication Law360. She is the Co-Founder of Lawyerly.