As part of its process to recruit new colleagues the Kelda Group, which includes Yorkshire Water, Loop, Kelda Water Services and Three Sixty, uses a platform that has been developed by a multinational software provider (ISO27001 certified) called PageUp.
PageUp has informed us that it has discovered an unauthorised party had accessed data housed on its own servers. It is believed that this happened on 15th May and the incident was confirmed on 28th May.
The FAQs below relate to issues concerning personal information relating to:
- colleagues within the Kelda Group who had recently applied to move roles using PageUp; or
- external individuals who have registered a PageUp account to apply for a job within the Kelda Group since November 2014.
PageUp has not yet been able to tell us what information may have been compromised, but it could potentially include any information entered into the online forms on the PageUp system.
This breach relates to PageUp’s system and not any of Kelda Group’s networks/systems. Our systems have not been compromised and we have not had any loss of colleague or customer data that we hold.
We understand that the breach has now been resolved, and additional measures have been put in place to avoid further breaches. We are asking PageUp for regular updates on their progress with this.
Kelda Group has already notified the Information Commissioner’s Office as required by law.
We are notifying the individuals – internal and external - who may have been affected and will be updating them as we receive further information from PageUp.
Although there is no evidence at this time that Kelda applicant/employee data has been stolen or the data has been used inappropriately, PageUp has advised individuals to monitor their accounts and take additional steps (e.g. changing passwords if they have used the same password for PageUp as with other systems/networks).
What does Page Up say has happened?
PageUp has informed us that their network servers was accessed by an unauthorised party. Based on PageUp’s investigation to date, they believe the unauthorised access was an isolated incident over a limited period of time. It included access to a server that contained identifying information for some organisations and, primarily, personal information for individuals.
Who’s affected by this?
This potentially includes some current Kelda employees who have used the PageUp system to apply for roles and external applicants who may have applied for roles within the Kelda Group since November 2014.
What information might have been compromised?
PageUp have been unable to confirm what information may have been compromised, but this could potentially include any information entered or uploaded onto PageUp’s online system by applicants or recruiters.
How do I know if I was impacted?
Based on investigation to date, PageUp have been unable to confirm whose individual data may have been accessed. This is why we are taking steps to contact all those individuals who may have been affected and asking them to take the precautionary measure of changing their passwords, if they use the same password for their PageUp account as they do for other systems/networks.
What can I do to protect myself?
There are several additional steps you can take to protect your information:
Always remain vigilant against threats of ID theft or fraud.
If you suspect you are a victim of identity theft or fraud, we recommend that you report this to https://www.actionfraud.police.uk/
Be alert to "phishing" by someone who acts like a colleague or friend and requests sensitive information over email, such as passwords, social security numbers, or bank account numbers.
Consider placing a fraud alert or security freeze on your credit file.
Regularly monitor all your accounts and apps for attempted log ins and check bank accounts on a frequent basis as these measures can help to identify fraudulent activity.
We take our obligation to help you protect your information very seriously and this is why we have contacted you.
Should I contact my bank?
It is always good practice to monitor your banking activity, and notify your bank if you notice any unusual activity on your account
What steps have you taken to remediate the issue?
We are contacting all those individuals who may be affected. PageUp has assured us that the incident has been contained and preventative measures implemented to avoid recurrence.
Does anyone know who was behind this?
PageUp has told us that they do not currently know who is behind this incident, but they have contacted and are cooperating with law enforcement in their ongoing investigation into who was responsible.
How many individuals have been affected by this incident
The individuals potentially impacted include those who have applied for jobs using the recruitment portal PageUp for any company in the Kelda Group, including Yorkshire Water, Kelda Water Services, Loop and Three Sixty. Based on the investigation details we have received from PageUp, we are contacting all individuals who may have been affected.
Why was PageUp storing my information if I was unsuccessful?
Your applicant account remains active within the system to enable you to access your application and apply for new jobs which may be advertised. You are also able to set job alerts to notify you if jobs are advertised which meet the search requirements that you specify.
I presumed you would deleting my data to comply with GDPR, why was this not done?
In May, we sent an email to all the contacts on the PageUp recruitment system, asking for consent by 31 May 2018 to keep in touch with you. We indicated that if we did not receive this consent then we would arrange for your data to be deleted. As it is, prior to the stated deadline, this incident occurred. Our current understanding is that PageUp is still investigating what has happened and has not deleted the data. We will continue to communicate with PageUp as it progresses its investigations. Where we have not received consent to remain in touch with a contact, then our request to PageUp is that the relevant data should be deleted as soon as their investigations allow this to happen. We still feel though, that the sensible and proper thing to do is to let you know about this incident and to ask that you change your password. If you use the same password on any other accounts or apps, that you should change those passwords also.
What is your data retention policy?
You can request at any time for your data to be deleted from the system, and this request will be actioned on receipt. Should you request to have your data deleted and then wish to apply for a job in future, you will need to create a new applicant account.
What specific measures did PageUp have in place to protect your data?
PageUp is a recognised multinational software provider (ISO27001 certified) who works with many international organisations including government departments and educational institutions. They use industry best practice frameworks and they hold multiple certifications for their data centres, people and services. Our contractors are legally and contractually obligated to abide by stringent privacy and security practices, and we are extremely disappointed that hackers could access the PageUp network. After this incident, we understand that PageUp and their security partners have taken additional steps to mitigate the issue and monitoring the situation around the clock and see no further signs of this particular threat actor or malware on their systems.