How the PageUp Hack is Highlighting HR’s Data Protection Problems

The recent data breach at global Human Resources services provider PageUp may have impacted millions of job seekers, the firm announced last week. Following such incidents that affect HR records, it’s often IT that gets the blame. Are HR firms and departments generally too lax at handling confidential data?

*

HR professionals have been found to be especially vulnerable to cyberattacks or user error. HR data breaches have severe consequences for individual employees and the whole organization. In 2015, confidental information of more than 22 million current and former federal employees and contractors was stolen when state-sponsored hackers hit the Office of Personnel Management (OPM), the U.S. government’s HR department.

Since then, employees have started suing their employers over other incidents, as in the case of a HR data breach at Seagate, and more law firms are lining up to take their cases. Lamps Plus was slapped with a class action in California federal court, accusing it of failing to protect sensitive personal information of workers. In-home healthcare company Lincare in May settled a HR data breach class action brought by employees. Travel Corporation is still facing a class action for a data breach earlier this year.

HR data: ready for the taking?

Corporate HR isn’t the only one hurting. Personnel departments of federal, state and local government agencies are targeted as well, as are garden-variety job boards, global executive search firms and 3rd-party vendors of personnel management tools. Why has HR become a high-value target for cybercriminals?

The explanation lies in the nature of the data HR is entrusted with. Human Resources departments and HR service providers store and process most (if not all) information that identity thieves and financial fraud networks are after.

Judging by the Identity Theft Resources Center’s 2017 data breach overview, HR systems serve as an all-you-can-eat data smorgasboard for criminals. HR records may contain the addresses of job applicants and employees (as well as of their dependents’) addresses, phone numbers, dates of birth, banking and financial information, the results of background checks, and sensitive medical information.

HR systems are a global smorgasboard for ID thieves.

Case in point: Australia-based global HR platform PageUp was a target of such an attack on job seekers’ personal data just last month, according to its blog.

PageUp is no small-timer. According to Bleeping Computer, the breach “trickled down to hundreds of companies.”

That’s quite a trickle-down. The firm’s client roster includes confectionary maker Lindt, the grocery chains Aldi and Coles, the Reserve Bank of Australia, Victoria University, and the insurance giant Zurich. PageUp says it has more than two million active monthly users in 90 countries. What were the attackers looking for?

The investigation is still underway; so far, not many details have been disclosed. But we may get a better idea from the 2018 Verizon Data Breach Report, which includes a few hints why and how human resources professionals are targeted online.

Verizon’s security researchers found that “social attacks” of phishing and pretexting directed at HR were aimed at stealing personal information (in 47% of investigated incidents), secrets (26%), internal data (22%), and credentials (17%).

“Do you know a dark joke?” – “Data protecion in HR.” – “Good one!”

The Personally Identifiable Information (PII) that HR managers are handling falls into most of these subgroups. Successful cyber attacks against human resources staff or recruiters almost always result in confidentiality breaches, since they usually involve PII.

Low hanging fruit: University HR departments

Also on PageUp’s worldwide client list: U.S.-based universities. Campus HR departments are notorious for their weak data protection and IT security. In the light of numerous such data breaches over the past years, follow-up attacks on universities resulting from the PageUp breach would not come as a surprise to cybersecurity experts.

What’s the draw for the attackers? Simply put, they go where they find most HR data. Public university systems are the largest employers in several states, including California, Michigan, New York, and North Carolina .

The University of Virginia had to deal with an attack where an HR system was compromised and the attackers were able to access sensitive personal information, such as W-2s and the banking details of university employees.

The UVa attack started with a phishing email scam. This phish asked recipients to click on a link and provide usernames and passwords. It was the type of attack that can affect almost any enterprise department. But HR was singled out because of their stored employee records.

Motive tax refund fraud

Personal and financial information (such as the bank documents and Social Security Numbers that were stolen in the University of Virginia hack) can be very lucrative for criminals who sell their booty on black markets specializing in identity theft and tax refund fraud, which is a common driver behind many attacks against corporate HR departments.

As predictable as spring follows winter, attackers use tax season as a cover, hoping that their attempts will go unnoticed in the general fuss. Legitimate tax related activities or employees emailing their tax information from various locations can confuse any security monitors that are in place and cause false positives on those tools.

The HR department of Gannet Newspapers (“USA Today) was hacked during the 2017 tax season. Employees received notification letters warning them that their SSNs, bank info, and work history may have been compromised. In the Travel Corporation attack mentioned earlier, the company was hit right in time for the 2018 tax season. The data breach affected every U.S. employee of TTC and could result in identity theft, credit card fraud, and other damages.

What had happened? TTC’s Director of Human Resources received an email from someone claiming to be the company’s Global CEO. This person asked for payroll information and all copies of TTC employees’ 2017 W2 tax forms. The HR Director promptly complied, sending the “phisher” the data and W2s for all current American employees of TTC.

Other HR data breaches are caused by plain negligence, such as this 2017 incident at the Stanford University’s Graduate School of Business (GSB).

A shared platform at the GSB exposed the personal information of nearly 10,000 non-teaching staff members at the university. An investigation found that names, birthdates, Social Security numbers and salary information had been insecured for a six-month period. An earlier (2016) breach at Stanford had left 14 terabytes of highly confidential student data unprotected on the web, including more than 5,000 financial aid applications from students over a seven-year period.

“Frontline” HR? Consider it overrun.

“HR is at the frontline of interacting with numerous vendors and potential unknown parties as they seek to address company recruitment,” attorney Richard Santelesa of SmartEdge Law told this author. HR, he says, “is uniquely vulnerable is in potential targeted spear phishing efforts and in communications with potential candidates.”

Think resumes received by email or opened/downloaded from third-party web services, such as resume databases. Researchers from IT security vendor Check Point described one malware exploit where the attackers first presented a “job application” containing a non-malicious PDF file attachment, while the second attachment to the “application” – an Excel file – contained the dangerous kicker: a ransomware enabler.

While many HR departments don’t accept direct resume submissions from applicants anymore, the intermediaries they hire – contract recruiters, search firms or platforms like PageUp – don’t have to undergo cybersecurity audits of the same sort that banks or big law firms require from their business partners.

HR data breaches, warns Richard Santelesa, can open up employers to “numerous potential state data breach notification laws as well as international obligations, depending on the specific collection practices, volume of information and locations of the applicants and HR operations.”

Reminder: Even U.S.-based companies without subsidiaries in Europe can be subject to the European Union’s General Data Protection Regulation (GDPR). In the U.S., law firms have identified HR data breaches as potential class action gold mines. Specialized websites like classaction.com encourage victims to join the resulting law suits.

Did HR learn from the OPM data breach?

A recent report by security firm ProtectWise on the techniques used by Chinese cyberespionage groups illustrates that three years after the OPM hack, HR systems still rank top on the target list of state-sponsored attackers. In their crosshairs are users whose credentials may provide elevated access to a wider network.

The security researchers warn: “We have observed spear-phishing campaigns that target human resources and hiring managers, IT staff, and internal information security staff, which are generally very effective.” Not only is HR information at risk, but human resources managers may be targeted simply because they have unfettered access to the entire corporate network from their workstations.

Recipe for disaster: HR apps and the local browser

HR professionals increasingly rely on specialized third-party platforms and web apps. They access these sites and services with a browser, the main tool for everything from handling webmail, maintaining employee portals, job postings and social media pages, to checking out job candidates on the web.

Regular browsers fetch and processes all web content on the local machine, which opens the door for malicious code and spyware to enter the corporate network.

It is incumbent on HR professionals to protect the data they have been entrusted with by using tools that are up to the task. Damages not only affect those whose data has been breached. They impact the whole organization.

*

Larry Loeb has been online since uucp "bang" addressing (where the world existed relative to !decvax) and served as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. He wrote for BYTE magazine, was a senior editor for the launch of WebWeek, and authored books on the Secure Electronic Transaction Internet protocol and "Hack Proofing XML" (his latest). Larry currently writes about cybersecurity for IBM’s SecurityIntelligence as well as Security Now.