Air traffic controller Airservices Australia is the latest government agency to suffer at the hands of hackers with employee’s personal records potentially compromised through a cyber attack on third-party provider PageUp.
The breach comes after recent revelations that a company contracted to produce aviation security cards had been hacked.
Aviation ID Australia, which produces Aviation Security Identity Cards (ASIC) for regional and rural airports, admitted its systems were “intentionally accessed by an unauthorized entity”.
READ: Government moves to allay fears on security card hack.
In an email to current and former employees, Airservices said PageUp, which handles the air navigation provider’s online recruitment process, had identified unauthorized activity by a third party using “advanced cyber attack methods”.
“They promptly took steps to contain the incident and engaged law enforcement and cybersecurity experts to investigate,’’ the email said.
“While PageUp’s investigations continue, on the balance of probabilities, some personal data is believed to have been accessed without authorization. At this stage, there is no evidence of exfiltration , only access.”
Airservices said PageUp had not advised it of any specific breach of a potential employee’s personal data but it was advising candidates who had used the service as a precautionary measure.
It said information held by the contractor included name, address, phone number, email address, qualifications and work history.
The information on PageUp could also include, depending on whether an application was successful, biographical details such as gender, date of birth, maiden name and nationality.
There could also be employment details at the time of application and details of nominated referees, contact details and length of relationship with the applicant.
“Importantly, PageUp has advised us that the current results of its forensic investigations are that mainly non-sensitive data has been affected,’’ the email says. “There is no evidence that the most sensitive data categories (including your uploaded curriculum vitae, identification documents and employment contract) have been affected in this incident.”
The e-mail said PageUp had retained one of Australia’s leading cybersecurity firms to evaluate its systems and work with it to ensure there are no further incidents.
It advised current and former staff to change their password for other online services if they re-use the same password.
They should use multi-factor authentication and be aware of potential phishing emails and phone calls from institutions requesting personal details.
They should also keep the anti-virus and operating systems updated.
The new breach will be an embarrassment to the Australian government, which is trying to convince Australians to allow their health details to be part of an online health system.
However, experts have warned of the potential for hackers to compromise the health system.
Airservices was contacted for comment.
