A firm that manages millions of job applications around the world suspects it has suffered a data breach.
PageUp's software is used for recruitment, but also salary information, bank details, tax numbers and other sensitive personal data.
Its clients include supermarket Aldi, Clydesdale Bank and chocolate-maker Lindt.
The firm has notified data regulators, including the UK's Information Commissioner's Office.
The ICO confirmed that it was investigating the breach.
In a statement, the firm's chief executive Karen Cariss confirmed that malware was the source of the incident.
She added: "On 23 May, 2018, PageUp detected unusual activity on its IT infrastructure and immediately launched a forensic investigation.
"On 28 May, 2018 our investigations revealed that we have some indicators that client data may have been compromised, a forensic investigation with assistance from an independent third party is currently ongoing.
"We take cyber-security very seriously and have been working together with international law enforcement, government authorities and independent security experts to fully investigate the matter."
The firm has two million active users across 190 countries.
Some companies, including Australian supermarket Coles, suspended their job websites as a result of the breach.
"Coles is not currently aware of any fraudulent activity relating to anyone's data occurring as a result of the security breach," it said in a statement.
"However, we recommend that any person who has applied online for a position with Coles in the past 18 months check to ensure that there has been no recent unusual activity concerning their personal information and maintain a close watch on the use of their personal information."
A spokesperson for Clydesdale Bank said: "We are aware of a potential data breach at a third-party supplier used by the bank for recruitment activity, and are currently investigating any impact on the bank's information held by them."
The General Data Protection Regulation (GDPR), which came into force in May, brings in tough new rules and larger fines for firms who have compromised user data.
Australia, where PageUp is based, brought in mandatory data breach reporting in February. Under the new legislation, companies who suspect a data breach must immediately report the incident to affected clients and customers.