Entire OnHire Cyber Incident May 2025 - FAQ
Entire OnHire Cyber Incident
Frequently Asked Questions
16 June 2025
This FAQ is designed to assist clients in responding to questions from affected individuals following the notification of the incident.
|
Question |
Suggested response |
Incident details |
||
1 |
What happened? |
Entire Software operates Entire OnHire, a software platform many businesses in the OnHire sector use to manage our workforce, including rostering and payroll. Entire Software recently advised its clients of an incident which resulted in unauthorised access to a small number of client systems using Entire OnHire. The extent of the unauthorised access is limited to activated members in affected client systems On 26 May 2025, Entire Software were contacted by a person who claimed to have obtained unauthorised access to Entire OnHire. As soon as it received that contact, it commenced an investigation to identify the scope and extent of any unauthorised access. The detailed investigation has indicated that, it appears that an intruder used stolen member credentials to log in to the Entire OnHire legacy member portal. Through this access, the intruder was able to learn more information about Entire Software’s system. Using this information, the intruder attempted to penetrate and take over the system, but was unsuccessful. The intruder was, however, able to access data from the Entire OnHire database in relation to a small number of clients. The data included personal information about current and former employees stored in Entire OnHire. There is currently no evidence that any of the stolen data has been misused or disclosed by the intruder. |
2 |
When did the incident occur? |
Entire OnHire first became aware of the incident on 26 May 2025. They reported the incident to affected clients on 6 June 2025. |
3 |
When will you have more information? |
Entire OnHire’s investigation remains ongoing. At this stage, they anticipate that the investigation will be completed in the next by June 30th. However, they also want to ensure that the investigation is thorough and provides as much information as possible about what happened. We will provide additional information as soon as we can. |
4 |
What is Entire OnHire doing to address this incident and ensure it does not happen again? |
As soon as it became aware of the intrusion, Entire Software engaged its cyber security response team which includes external technical and forensic experts from AWS, CrowdStrike, Rackspace and Cloudflare. Entire Software enacted a cyber response plan as per ISO procedures and implemented a range of additional technical and practical measures to terminate the intruder’s access to Entire OnHire, to strengthen security of the platform, and to limit the risk of this kind of incident reoccurring in the future. These measures initially included geo-restriction of traffic, new firewalls, hardening protections around Entire OnHire APIs, decommissioning the legacy member portal, and adding an additional layer of protection on APIs. Several features and services were also deactivated until they could be further secured (such as the Client App). Additionally, MFA was activated on all client systems, and clients who were potentially at risk had their passwords reset. These steps were successful. The findings of the investigation continue to suggest that the legacy member portal was the primary entry point for the intruder (using stolen login credentials), and as such it has now been permanently decommissioned. The incident also highlighted the value of having MFA enabled, which is why it is now mandatory. Entire Software has reported the incident to the Office of the Australian Information Commissioner and the Australian Federal Police. Entire OnHire and [client] will continue to liaise with those authorities regarding the incident and ensure that all of our statutory responsibilities are met. Entire Software is committed to learning from this incident and taking whatever steps necessary to ensure that it does not happen again. |
5 |
Is Entire OnHire now secure? Is it safe to use? What have you done to secure Entire OnHire? What was the operational impact of the incident? |
Entire OnHire has implemented a range of additional technical and practical measures to terminate the intruder’s access to Entire OnHire, to strengthen security of the platform, and to limit the risk of this kind of incident reoccurring in the future. These measures initially included geo-restriction of traffic, new firewalls, hardening protections around Entire OnHire APIs, decommissioning the legacy member portal, and adding an additional layer of protection on APIs. Several features and services were also deactivated until they could be further secured (such as the Client App). Additionally, MFA was activated on all client systems, and clients who were potentially at risk had their passwords reset. These steps were successful. Some features deemed higher risk that could not be quickly further secured (particularly those with third party access) will remain offline until necessary additional security measures have been developed - these include CV Parsing, Vevo Integration, TFN declaration, Reference Check and Client App. The findings of the investigation continue to suggest that the legacy member portal was the primary entry point for the intruder (using stolen login credentials), and as such it has now been permanently decommissioned. The incident also highlighted the value of having MFA enabled, which is why it is now mandatory. The incident did not affect the latest version (version X) of Entire OnHire, and Entire Software intends to fast track the rollout of this version. It is important to note that the incident is limited to the Entire OnHire platform and does not affect XeopleRecruit or [client]’s own IT systems. |
6 |
Who is responsible for the incident? |
The person responsible has not been identified at this stage. Investigations are still ongoing. |
7 |
Was this a ransomware attack? |
This was not a ransomware attack. Entire Software was contacted by a person who claimed to have obtained unauthorised access to its systems, but it has confirmed that no ransomware or malware was involved. |
8 |
Was a ransom paid? |
No payment has been made to the intruder.
|
Personal information |
||
9 |
Was any of my personal information affected? |
While investigations are still ongoing, at this stage it appears that the intruder accessed and stole data from the Entire OnHire database in relation to a small number of clients, including [client]. The affected personal information of [client]’s current and former employees included: · names and contact details; · dates of birth; · tax file numbers; · superannuation account details; · some details of identity documents such as driver’s licences and passports (not scanned copies but typed details in system); and Not all of the above types of personal information are held for every individual, so some of the above types of personal information may not apply to you. There is currently no evidence that any of the stolen data has been misused or disclosed by the intruder. Entire Software has also noted that the format of the data as extracted by the intruder was not a readily usable format. For example, the records containing tax file numbers did not directly identify employee names. They believe it would be difficult for the intruder to make any use of the data, or put it into a usable format. |
10 |
What data is definitely affected or taken? |
ntire Software can confirm that generally the above types of personal information of current and former employees were within the pool of affected data. Not all of the above types of personal information are held for every individual, so some of the above types of personal information may not apply to you. Entire Software has also noted that the format of the data as extracted by the intruder was not a readily usable format. For example, the records containing tax file numbers did not directly identify employee names. They believe it would be difficult for the intruder to make any use of the data, or put it into a usable format. |
11 |
Which employees were affected? |
Entire Software is unable confirm exactly which employees were definitely affected by the incident. However, given the fact that tax file numbers were stored for every employee as part of the onboarding process Entire Software recommends that we contact every employee (including inactive, active, suspended or terminated) as tax file numbers were a part of the stolen data. |
Notification and support |
||
12 |
Have you notified authorities? |
Entire OnHire reported the incident to
|
15 |
Why did you take so long to notify us? Why didn’t you notify us sooner? |
Entire OnHire detected the incident on 26 May 2025. Since then, its response team has been working hard to investigate the validity, scope and cause of the incident. While it conducted that investigation as quickly as possible, it took some time until it had sufficient knowledge of the incident to be in a position to tell clients and affected individuals what happened. Entire OnHire informed clients on 6 June 2025, and we notified the affected individuals as soon as we could after that. |
16 |
Are there any actions I should take to protect myself or my information? |
We have provided a letter to all affected individuals about the data breach. This letter contained detailed advice on measures that affected individuals can take to protect themselves. Review current passwords to ensure they are strong & not replicated across multiple services NEVER share you login or password details with anyone Use secure password manager software storage services (such as Dashlane, 1Password) NEVER store passwords in easily accessible local storage or note services (eg sticky notes word, excel) |
17 |
Who can I contact about this incident?
|
Please direct any further questions about this incident to Entire Software’s support team at incidentresponse@entiresoftware.com. Contact the ATO to inform them your details may have been included in a cyber incident - ensure to confirm your TFN to them Entire has engaged IDCare, Australia's cyber incident community service to provide support services to affected individuals. Entire encourages |
18 |
Have you set up dark web monitoring for the stolen personal information? |
Yes this service is being engaged in conjunction with IDCare |