PageUp incident notification
As part of Queensland Rail’s recruitment process, we use a third party software service called PageUp. Along with many other organisations, we have recently been notified by PageUp that it has identified unauthorised activity on its systems which may affect some user information.
Queensland Rail takes information security and privacy seriously. At this stage, PageUp has been unable to confirm whether any information of Queensland Rail applicants has been accessed or disclosed.
However, there are a number of precautionary steps that you can take to maximise the ongoing security of your information. We also recommend you visit
PageUp's website for further details.
We will continue to update this webpage as more information becomes known.
Frequently Asked Questions
Along with many other organisations, Queensland Rail has recently been notified by our third party recruitment software service provider, PageUp, that it has identified unauthorised activity on its systems which may affect some user information.
Queensland Rail has been, and will continue, working closely with PageUp to confirm the background to this incident and how it relates to Queensland Rail job applicants (dating back to 2009). Based on the information that PageUp has provided us to date, we can confirm that:
- On 23 May 2018, PageUp detected unusual activity on its IT systems dating back to 15 May 2018. PageUp has since investigated this activity and identified that it was affected by malware, which is a type of computer virus.
- PageUp has confirmed that 'on the balance of probabilities' an unauthorised person(s) gained access to some of the information on its systems. This means it is more likely than not that information has been accessed. We set out what that information could include below.
- It is not yet known whether information, if accessed, was downloaded or taken from PageUp's systems by the unauthorised person(s) behind the incident and PageUp is working with IT security/forensic advisors and local and international law enforcement bodies to investigate and monitor this.
- With the assistance of IT security advisors, PageUp has since taken steps to contain and prevent any further unauthorised activity on its systems and confirmed that its systems are safe to use.
At this stage, PageUp has been unable to confirm whether any of your specific information has been accessed and we are continuing to work with PageUp to confirm this.
However, you may be affected by this incident if, since 2009 you:
- were or are an employee of Queensland Rail with access to a corporate PageUp account,
- applied for any Queensland Rail position through PageUp, including current and former employees.
PageUp has confirmed that the type of information that may have been subjected to unauthorised access as a result of this incident is limited to:
Information potentially accessed |
|Current and former employees with access to a corporate PageUp account |
- Employee contact information including name, email address, physical address, and telephone number.
- Employment information including employment status, company and title, and whether you were the registered contact for communications from PageUp.
- Login details such as usernames and passwords, which PageUp has confirmed was encrypted.
|Applicants that applied for a position with Queensland Rail through PageUp (including current and former employees)|
- Contact information including name, email address, physical address, and telephone number.
- Biographical information including gender, date of birth, and middle name (if applicable), nationality, and whether you were a local resident at the time of the application.
- Employment information at the time of the application including employment status, company and title.
- If your application was submitted for a reference check, then the information may also include (if provided): technical skills, special skills, team size, length of tenure with your previous company, reason for leaving that position (if applicable), and the length of the relationship between you (as the applicant) and your nominated reference.
- Login details such as usernames and passwords, which PageUp has confirmed was encrypted.
PageUp has confirmed that critical information including resumes, financial information, Australian tax file numbers, employee performance reports, and employment documents were
not affected by this incident. This includes information contained in PageUp's New Starter Forms, Onboarding, Performance, Learning, Compensation or Succession Modules.
The information that PageUp specifically holds about you will depend on what information you provided to PageUp. This will vary from person to person. You can review this by logging into your PageUp account. You can also elect to delete your account. More information is available on
As a precautionary measure, Queensland Rail has reset the passwords to all Queensland Rail PageUp accounts. If you use the platform again, you will be prompted to change your password the next time you attempt to log in.
The Office of the Australian Information Commissioner (OAIC), Australian Cyber Security Centre (ACSC) and Australia's leading National Identity and Cyber Support experts, IDCARE, have released a
joint statement outlining the nature, scope and impact of this incident and risks to potentially affected individuals.
Importantly, IDCARE has stated:
Whilst it is important to acknowledge that breached personal information impacts people in different ways, based on investigations undertaken to date by PageUp, at this point IDCARE assesses that the direct risk of identity theft is unlikely. Identity thieves typically require other forms of personal information to successfully manipulate this type of data, such as driver licence, passport, and account details, in order to obtain credit in a person’s name or related acts of impersonation.
IDCARE assesses that there are other risks that are likely to be more relevant to impacted individuals, including the possibility of phishing emails, telephone scam calls, and specific risks to individuals concerned about their contact information, physical address, and employment details (and applications) becoming known to third parties.
Although it is currently unclear what information has been accessed as a result of this incident (if any), as a precaution, we have outlined below steps that you can take to maximise the ongoing security of your information.
- Protect your other online systems (for example, online banking, social media, email) by resetting your password if you re-use the same password as your PageUp account, and enable multi-factor authentication and other available security measures.
- Remain vigilant to telephone call, SMS, email and social media phishing scams, and only respond to legitimate communications from Queensland Rail or PageUp. Do not open attachments, click on links, or respond to communications from unknown senders. If in doubt, confirm the authenticity of the communication with us or PageUp. More information about phishing scams is available on the
- Protect your devices by installing appropriate anti-virus software, and applying all recommended software patches from operating system and software providers.
You can find additional guidance about protecting your identity by visiting the
what to do after a data breach
. You can also find additional guidance by visiting
Upon learning of this incident, Queensland Rail suspended its use of PageUp's services until we could be confident that the incident had been contained and that PageUp's platform was secure.
PageUp has since engaged an independent third-party security firm to investigate the incident, and based on advice and assurance from PageUp and this third-party expert, Queensland Rail has now re-commenced PageUp's services and are accepting online applications.
We confirm that the incident affected PageUp's systems only, and no information held by Queensland Rail on its systems was affected by this incident.
Queensland Rail is a vertically integrated rail transport company comprising passenger rail services; ownership and management of access to more than 6,500km of track across Queensland, plus the supporting operational, network and corporate services.
With more than 5,800 staff, more than $6 billion in assets, Queensland Rail has a proud 150 year history of being a safe and reliable railway operator, contributing to Queensland’s economic, social and regional development.
Here at Queensland Rail, our mission is to be a vibrant learning organisation where safety comes first and our people and customers are central to everything we do.
Our people are our first priority and this is the principle behind our approach to safety. Safety is relevant to everything that we do and applies to how our people behave, how we operate and where we see our future.
career opportunities here or sign up to a
Diversity and Inclusion
Queensland Rail is committed to creating a diverse and inclusive workplace, where people’s unique backgrounds, strengths and experiences are respected and valued. At Queensland Rail, we believe diversity and inclusion drives innovation, problem solving and team performance, which delivers better outcomes for our business and our customers.
We encourage women, Aboriginal and Torres Strait Islander people, people with disability, people from non-English speaking backgrounds, and members of other diverse groups to apply for vacancies in our organisation.
Queensland Rail is committed to making reasonable adjustments to provide a positive, barrier-free recruitment process and supportive workplace. We are also open to discussing flexible work options.
Meet Queensland Rail women working in non-traditional areas by viewing the videos below.