Skip to the content
  • Why Vertex
    • Expertise in Education
    • Your Trusted Partner
    • Humanitix Case Study
    • Give Back
    • Careers
  • Penetration Testing
  • ISO27001
  • Cyber Training
  • Solutions
    • Cyber Security Audit
    • Incident Response
    • Managed Services
  • News
  • Contact
  • Why Vertex
    • Expertise in Education
    • Your Trusted Partner
    • Humanitix Case Study
    • Give Back
    • Careers
  • Penetration Testing
  • ISO27001
  • Cyber Training
  • Solutions
    • Cyber Security Audit
    • Incident Response
    • Managed Services
  • News
  • Contact
LOG IN

PageUp data breach, are companies in breach of law?

 

With recent changes to Australian Law and European Law it is required that after a data breach of personal information that is likely to result in serious harm, organisations have to inform those affected by the data breach or face fines. The PageUp data breach was detected on the 23rd of May and under EU Law (EU GDPR) the 72hours to notify people has passed. Under Australian Law (Privacy Act Amendment also known as Mandatory Data Breach Notification Law) have 30days to complete their assessment.

Now PageUp appears to have directly notify via email those that have been affected. However looking at Australian Law, this is a data breach within PageUp systems but if the data is not within Australia the responsibility is of the companies that selected PageUp. The current information is that this breach was data in the UK through malware. So under that information under the Australian Privacy Act then each company is deemed to be holding the data, and hence potentially they need to notify those affected and the OAIC.

26WC  Deemed holding of information, of the Privacy Act says that "an APP entity has disclosed personal information about one or more individuals to an overseas recipient;" is deemed to be holding the information.

Many companies are affected by this PageUp breach and just to highlight how wide spread this is I have added a list of companies that appear to be using PageUp software at the end.

The time window for companies to perform this,  which is why many companies may be in breach of law. That said impacted companies should still consider taking action now such as:

  • Get legal advice from Australian Privacy Act experts on the situation (We are not lawyers)
  • Read OAIC Data breach and preparation response guide
  • Notify the Office of the Australian Information Commissioner (OAIC) of an eligible data breach.
  • Notify impacted people directly and satisfy breach notification
  • Contact the Commissioner for an extension or exception
  • Get help and advise with Cyber Security Incident

So what could of been done to avoid, detect or protect this issue. As PageUp is an external vendor, then one question is how to verify the security of an external vendor. This is a complicated question that involves independent security assessments and testing, but as a really simple test you can apply to any organisation to provide an indication of their security just ask these two questions:

  • Do you use application whitelisting?
  • Do you have independent regular ethical hacking (aka penetration testing) ?

From a technical perspective under the current information that malware was used then Application Whitelisting is the number one protection recommended by the NSA and ASD. One product that provides Application Whitelisting is Shellprotect.

With a little bit of looking here is a list of some of the companies that are using PageUp that could be potentially impacted by the breach.

  • Australian Department of Defence
  • Wesfarmers: Coles, Target, Kmart, Officeworks
  • NAB
  • Telstra
  • Commonwealth Bank
  • Macquarie Group
  • Target
  • Lindt
  • Aldi
  • Linfox
  • Reserve Bank of Australia
  • Australia Post
  • Medibank
  • ABC
  • AHG
  • Australian Red Cross
  • University of Tasmania
  • AGL
  • La Trobe University
  • Jetstar
  • Zurich
  • Aurizon
  • Attorney Generals Department
  • Allens Linklaters
  • University of Adelaide
  • The Star Sydney
  • Charles Sturt University
  • Sportsbet
  • Harvey Norman
  • Stan Well
  • Victoria University
  • Momentum Energy
  • Melbourne Water
  • Kathmandu
  • Bupa
  • Suncorp
  • Work cover QLD
  • National Archives of Australia
  • Flinders University
  • Monash University
  • Tasmanian Government
  • MetCash
  • Australian Office of Financial Management
  • Queensland Rail
  • AusGrid
  • Spotless
  • HCF
  • Orica
  • South Australia: Department of Health
  • Transdev Melbourne
  • KPMG
  • Australian Catholic University
  • SA Water
  • SIngapore Goverment Careers
  • Unicef
  • Powerlink
  • University of Tasmania
  • Armaguard
  • University of Melbourne
  • SA Power Networks

CATEGORIES

Cyber Security - Data Breach - Events - Press

TAGS

SHARE

PrevPreviousFinalist for Excellence in Cyber Security
NextShould I use Have I been pwned (HIBP) ?Next

Follow Us!

Facebook Twitter Linkedin Instagram
Cyber Security by Vertex, Sydney Australia

Your partner in Cyber Security.

Terms of Use | Privacy Policy

Accreditations & Certifications

blank
blank
blank
blank
blank
  • 1300 229 237
  • Suite 13.04 189 Kent Street Sydney NSW 2000 Australia
  • 121 King St, Melbourne VIC 3000
  • Lot Fourteen, North Terrace, Adelaide SA 5000
  • Level 2/315 Brunswick St, Fortitude Valley QLD 4006, Adelaide SA 5000

(c) 2025 Vertex Technologies Pty Ltd.

download (2)
download (4)

We acknowledge Aboriginal and Torres Strait Islander peoples as the traditional custodians of this land and pay our respects to their Ancestors and Elders, past, present and future. We acknowledge and respect the continuing culture of the Gadigal people of the Eora nation and their unique cultural and spiritual relationships to the land, waters and seas.

We acknowledge that sovereignty of this land was never ceded. Always was, always will be Aboriginal land.