PageUp could have waited
Disclosure laws may have led PageUp to announce a big recent breach too early.
Australia’s national cyber security adviser Alastair MacGibbon said in a recent address that a “conflict of laws” forced PageUp People to disclose last month’s malware infection before it had properly assessed the damage caused.
Mr MacGibbon said the premature disclosure of the incident meant recruitment cloud service provider was “in a sense ... victimised”.
“PageUp had to notify the UK market because their requirements are very tight - within 72 hours of a suspicion,” Mr MacGibbon said.
“[Australia's] requirements aren’t as compulsive in the early stages [of an incident]."
He said the UK’s “most onerous” laws were “detrimental to PageUp”.
“PageUp in a sense was victimised by having to report to the UK market on a matter, and then if they hadn’t reported in Australia at the same time then the allegation people would make is; ‘You held back’, ‘You waited months’, because that’s how long you could do in Australia if you’re investigating activity before you came out,” he said.
“Because of that they came out to the market earlier than logically they should have because if they had had more time they could have said there’s no evidence data has been exfiltrated.”
The Australian Cyber Security Centre (ACSC), the Office of the Australian Information Commissioner and IDCARE all say there is no suggestion that “information may actually have been stolen”.
Mr MacGibbon backed that position, saying it was like “someone breaking into the house, but not necessarily leaving with what they broke in to steal”.
“I’m at pains to say there’s a difference between a person gaining access to data and a person exfiltrating data,” he said.
“I have no doubt that someone got into the PageUp systems, but I’m not convinced necessarily that any data was stolen.”
“The reaction of the market, however, was different and to me lacks maturity.”