Vendor of Careers@Gov job portal hit by malware

Applicants for public service jobs in Singapore could have had their information compromised, as a malware infection was found to have hit an outsourced Australia-based vendor.

Users of the Careers@Gov online portal, which lists job positions and takes in applications for public sector vacancies, were informed of a malware breach of the portal's vendor by e-mail on Sunday night.

"At this stage, the vendor has not seen further sign of suspicious activity. The malware has been contained and the threat eradicated," said the e-mail from Careers@Gov.

The portal is run by Australian human resources software provider PageUp, which counts universities, banks and the Tasmanian government among its clients.

It provides recruitment and career software for companies to create a website portal that lets them publish job openings, receive applicants' resumes and shortlist applicants.

A spokesman for the Public Service Division, which oversees the portal, said it is investigating and getting more information from PageUp.

Careers@Gov has about 297,000 accounts held by public officers and members of the public who have accessed the portal to apply for a job with the public service. It is not known how many local accounts may have been compromised.

PageUp had detected the malware infection much earlier, with its chief executive and co-founder Karen Cariss posting a statement on the company's website saying that the company detected unusual activity on its IT infrastructure three weeks ago.

"We have some indicators that client data may have been compromised," she said.

Such data could include names and contact details of users, along with usernames and encrypted passwords.

Ms Cariss said the company is conducting a forensic investigation and is working with law enforcement and government authorities on the matter.

A check by The Straits Times yesterday showed the Careers@Gov website was still running on the PageUp system, even as other clients, such as Australia's Commonwealth Bank and telco Telstra, pulled their recruitment websites offline last week.

Mr Nick FitzGerald, a senior research fellow at cyber security company ESE, said that although PageUp uses a strong encryption technique to protect user passwords, users should change their passwords.

The damage done by the malware could go beyond infrastructural costs, said Mr Stuart Fisher, senior vice-president for Asia Pacific at cyber security company Deep Instinct.

"It can also affect the public's trust and use in digital government services," he said.