Cyber Incident Victim: BP

In July 2018, BP disclosed a data breach stemming from a malware attack on PageUp, a third-party online recruitment portal used by the company. The incident compromised personal information belonging to individuals who had applied for retail positions at BP. Initial assessments indicated approximately 10,000 applicants were affected, but subsequent investigations revealed a significantly broader impact. By July 11, 2018, BP revised its estimate, confirming that data from roughly 60,000 job seekers had been exposed. The breach impacted applicants who submitted information through the portal over a ten-year period, dating back to 2008. While the article does not specify the exact types of data accessed, BP characterized it as "personal information" typically collected during job applications. The compromise originated from PageUp’s systems, not BP’s direct infrastructure, highlighting the supply-chain nature of the incident.

BP responded by notifying all affected individuals via email, advising them of the potential exposure of their data. The company did not publicly detail the malware’s functionality or the attackers’ methods beyond confirming the breach’s link to PageUp’s compromised systems. The revised victim count reflected BP’s expanded review of historical applicant records stored on the portal. No evidence suggested BP’s internal corporate networks or non-retail recruitment systems were involved. The incident underscored the risks of third-party vendor dependencies, particularly in handling sensitive applicant data across extended timeframes.