Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 19)
Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware
FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
See all Unit 42 Threat Research

Global Candidate Privacy Notice

Effective Date: January 1, 2023

Palo Alto Networks is committed to protecting the privacy and security of your personal data. This Global Candidate Privacy Notice (“Candidate Privacy Notice”) describes how Palo Alto Networks, Inc. and its subsidiaries and affiliated entities (collectively, "Palo Alto Networks," "we," or "us") collect and process personal data about you during the application and recruitment process. This Candidate Privacy Notice applies to job applicants only, but supplements and should be read together with the Palo Alto Networks Privacy Notice which applies to all personal data collected on our website(s).

This Candidate Privacy Notice describes the categories of personal data that we collect, how we use your personal data, how we secure your personal data, when we may disclose your personal data to third parties, and when we may transfer your personal data outside of your home jurisdiction. This Candidate Privacy Notice also describes your rights regarding the personal data that we hold about you and how you can request access to, correction of, object to or restrict processing of, portable copies of, and erasure of your personal data.

We will only process your personal data as described in this Candidate Privacy Notice unless otherwise permitted or required by applicable law. We take steps to ensure that the personal data that we collect about you is adequate, relevant, not excessive, and processed for limited purposes.

Depending on your jurisdiction, there may be certain rights applicable to you for which we may provide separate notice informing you of your rights and how to adequately exercise them.

1. Collection of Personal Data

For purposes of this Candidate Privacy Notice, personal data means any information about an identifiable individual or household collected in connection with the application and recruitment process. Palo Alto Networks may collect personal data directly from you, as a job applicant, or may receive personal data from third parties, for example, via forms you submit to us on our website or job application portal in connection with a background, employment, or reference check, subject to your consent where required by law. We may collect, store, and process the following categories of personal data in connection with our recruiting and interview process:

  • Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
  • Work history and other relevant experience including information contained in a resume, CV, cover letter, or job application.
  • Education information including degrees awarded, transcripts, and other information provided in support of the job application.
  • Compensation history, but only where permitted by law.
  • Information collected during phone screenings and interviews.
  • Details regarding the type of employment sought, desired salary, willingness to relocate, job preferences, and other information related to compensation and benefits.
  • Reference information and information received from background checks, where applicable, including information provided by third parties such as recruiters.
  • Information related to previous applications to Palo Alto Networks or previous employment history with Palo Alto Networks.
  • As applicable to work arrangement, immigration-related information, visa status, citizenship, and related family status (e.g., spouse or other family).
  • Any additional personal details that you otherwise voluntarily provide to us.

The provision of full and complete information in support of a job application is necessary for selection purposes. Failure to provide any of the data may affect the processing of your application.

2. Use of Personal Data

We only process your personal data as described in this Candidate Privacy Notice or as otherwise required or permitted by applicable law in connection with carrying out our application and recruitment process. We may process your personal data for the following legitimate business purposes:

  • Identifying and evaluating job applicants, including assessing skills, qualifications, and interests.
  • Verifying your information and carrying out employment, background, and reference checks, where applicable, subject to your consent where required by applicable law.
  • Communicating with you about the recruitment process and your application.
  • To demonstrate job applicants’ agreement to, or acceptance of, documents presented to them, e.g., pre-employment agreements, acknowledgment of employment applications, and offer letters.
  • Keeping records related to our hiring processes.
  • Creating and submitting reports as required by applicable laws, regulations, or court orders.
  • Analyzing and improving our application and recruitment process.
  • To comply with our legal, regulatory, or other corporate governance requirements.
  • Analyzing and improving our application and recruitment process.
  • Complying with applicable regulations, legal processes, corporate governance requirements, or enforceable government requests, as well as local, state, and federal law, regulations, ordinances, guidelines, and orders.
  • To protect the rights and property of Palo Alto Networks, other job applicants, employees, or the public, as required or permitted by law.

We will store the personal data we collect about you for no longer than necessary for the purposes set out above and in accordance with our legal obligations and legitimate business interests. In addition to using your personal data for the position for which you have applied, we may retain and use your personal data to inform you about and consider you for other positions that may be of interest to you. If you do not want us to consider you for other positions or would like us to remove your personal data, you may contact us at privacy@paloaltonetworks.com. We will only process your personal data for the purposes for which we collected it unless otherwise required by applicable law. If we need to process your personal data for an unrelated purpose, we will provide notice to you and, if required by law, seek your consent. We may process your personal data without your knowledge or consent where required by applicable law, regulation, or court order.

3. Collection and Use of Sensitive Personal Data

The following categories of personal data may be considered sensitive under the laws of your jurisdiction and may receive special protection:

  • Race or ethnic origin.
  • Political opinions.
  • Religious, philosophical, or moral beliefs.
  • Trade union membership.
  • Social welfare, gender, sexual life, or sexual orientation.
  • Physical or mental health or condition.
  • Unlawful or objectionable conduct, criminal charges, or convictions.
  • Biometric information.
  • Genetic data.
  • Financial information.

We may collect and process the following categories of sensitive personal data when you voluntarily provide them or we receive them from a third party with your consent, when relevant for a particular position and as permitted by applicable law:

  • Physical or mental health or condition or disability status to determine appropriate workplace accommodations and evaluate fitness for a particular position or for the provision of benefits.
  • Family and/or marital status and limited health information required to process an employee's request to apply for supplemental health insurance or other optional benefits for the employee and/or related persons.
  • Race or ethnic origin to ensure meaningful equal opportunity monitoring and reporting.
  • Unlawful or objectionable conduct, criminal charges, or convictions to evaluate fitness for a particular position.

Where we have a legitimate need to process your sensitive personal data for purposes not identified above, we will only do so only after providing you with notice and, if required by law, obtaining your consent.

4. Data Sharing

We will only disclose your personal data to third parties where required by law or to our employees, contractors, designated agents, or third-party service providers who require such information to assist us with administering the application and recruitment process, including third-party service providers who provide services to us or on our behalf. We may use third-party service providers for various purposes, including, but not limited to, obtaining employment verification and background checks. These third-party service providers may be located outside of the country in which you live or the country where the position you have applied for is located.

We require all our third-party service providers, by written contract, to implement appropriate security measures to protect your personal data consistent with our policies and any data security obligations applicable to us. We only permit them to process your personal data for specified purposes in accordance with our instructions.

We may also disclose your personal data for the following additional purposes, where permitted or required by applicable law:

  • To other members of our group of companies (including outside of your home jurisdiction) for the purposes set out in this Candidate Privacy Notice and as necessary to administer the application and recruitment process.
  • If we take part in or are involved with a corporate business transaction, such as a merger, acquisition, joint venture, or financing or sale of company assets through which we may disclose personal data to a third party during negotiation of, in connection with or as an asset in such a corporate business transaction.
  • In the event of insolvency, bankruptcy, or receivership.
  • As part of our regular reporting activities to other members of our group of companies.
  • To comply with legal obligations or valid legal processes such as search warrants, subpoenas, or court orders. When we disclose your personal data to comply with a legal obligation or legal process, we will take reasonable steps to ensure that we only disclose the minimum personal data necessary for the specific purpose and circumstances.
  • To protect the rights and property of Palo Alto Networks.
  • During emergency situations or where necessary to protect the health and safety of persons.
  • Where the personal data is publicly available.
  • If a business transfer or change in ownership occurs.
  • For additional purposes with your consent where required by law.

We may combine information that we receive from the various sources described in this Candidate Privacy Notice, including third party sources and public sources, and use or disclose it for the purposes set forth herein.

5. Cross-Border Data Transfers

Where not prohibited by applicable law, we may transfer the personal data we collect about you to jurisdictions outside your home country, but in accordance with applicable legal requirements (if any) for the purposes set out in this Candidate Privacy Notice. To the extent required by applicable law, we have implemented data transfer agreements/obtained consent to secure the transfer of your personal data to other jurisdictions outside your home country that may not be deemed to provide the same level of protection as your home country.

If you are based in the UK, Switzerland, or the European Economic Area (EEA), please note that, where necessary, your personal data may be processed by other Palo Alto Networks entities and service providers outside the UK, Switzerland, and EEA, such as the United States of America. These international transfers of your personal data will be made pursuant to appropriate safeguards, such as standard data protection clauses adopted by the European Commission. If you wish to enquire further about these safeguards used, you may contact us at privacy@paloaltonetworks.com.

6. Data Security

We have implemented appropriate physical, technical, and organizational security measures designed to secure your personal data against accidental loss and unauthorized access, use, alteration, or disclosure. In addition, we limit access to personal data to those employees, agents, contractors, and other third parties that have a legitimate business need for such access and are bound to a contractual and/or professional duty of confidentiality. All personal data we collect will be stored on secure servers. When we transfer personal data to others, we will ensure that the recipients also implement appropriate technical and organizational security measures to protect your personal data.

7. Data Retention

We will only retain your personal data for as long as reasonably necessary to fulfill the purposes for which we collected it and will honor your exercise of data subject rights, subject to any limitations or exclusions recognized by applicable law. To determine the appropriate retention period for your personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of the personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, subject to applicable legal, regulatory, tax, accounting, reporting, or other requirements or when retention is necessary to resolve a pending legal dispute.

In cases where we have no ongoing legitimate business need to process your personal data, we will either delete your personal data or, if this is not possible (e.g., because your personal data has been stored in backup archives), we will securely store your personal data and isolate it further from any further processing until deletion is possible.

If you are offered and accept employment with Palo Alto Networks, the personal data we collected during the application and recruitment process will become part of your employment record and we may use it in connection with your employment consistent with our employee personal data use and privacy policies. If you do not become an employee, or, once you are no longer an employee of Palo Alto Networks, we will retain and securely destroy your personal data in accordance with our retention policy and any applicable laws and regulations.

8. Rights of Access, Correction, Erasure, and Objection

We use a combination of legitimate interests, performance of a contract (including the intention to enter into a contract) and/or consent as the legal bases to process the personal data that you share with us as part of the application and recruitment process.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during the application and recruitment process. By law, you may have the right to request access to, correct, or erase the personal data that we hold about you, object to or restrict our processing of your personal data, or request the portability of your personal data, under certain circumstances. If you wish to exercise any of these rights, please contact us at privacy@paloaltonetworks.com. Depending on the jurisdiction where you are located, some of these rights may not apply.

We may request specific information from you to help us confirm your identity, verify your rights, and respond to your request, including to provide you with the personal data that we may hold about you. Please note that applicable law may allow or require us to deny your request or there may be cases where we may have already destroyed, erased, or made your personal data anonymous in accordance with our record retention obligations and practices. If we cannot respond to your request, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

9. Consent

We are not required to obtain additional consent for most of the processing activities that we undertake in respect of the personal data you have submitted to us. We may, however, seek your consent for some uses of personal data. If we need your consent, we will notify you of the personal data we intend to use and how we intend to use it.

You will never be obligated to provide us with your consent. Where you have provided your consent to the collection, processing, and transfer of your personal data, you may have the legal right to withdraw your consent under certain circumstances. To withdraw your consent, if applicable, contact us at privacy@paloaltonetworks.com.

10. Data Protection Officer

We have appointed a data protection officer to oversee compliance with this Candidate Privacy Notice. If you have any questions about this Candidate Privacy Notice or how we handle your personal data, or you would like to make a request relating to your personal data, please contact the data protection officer at: privacy@paloaltonetworks.com. If you are unsatisfied with our response to any issues that you raise with the data protection officer, you may have the right to make a complaint with the applicable data protection authority in your jurisdiction.

11. Changes to This Candidate Privacy Notice

We reserve the right to update this Candidate Privacy Notice at any time and we will provide you with access to any new Candidate Privacy Notice when we make any material updates. If we would like to use your previously collected personal data for different purposes than those we notified you about at the time of collection, we will provide you with notice and, where required by law, seek your consent before using your personal data for a new or unrelated purpose. We may process your personal data without your knowledge or consent where required by applicable law, regulation, or court order.

12. Contact Us

If you have any questions about our processing of your personal data or would like to make an access or other request, please contact us at: privacy@paloaltonetworks.com.

California Rights Addendum

Effective Date: January 1, 2023

This California Rights Addendum (the “Addendum”) supplements Palo Alto Networks’ (“we”, “us”, and “our”) Global Candidate Privacy Notice and supports compliance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CPRA”), and this Addendum solely applies to you if you are a covered person who resides in the State of California in the United States of America.

In the event of a conflict between the terms of this Addendum and the rest of the Global Candidate Privacy Notice, this Addendum shall take precedence for California residents. Capitalized terms not defined herein shall have the meanings set forth in the California Consumer Privacy Act (“CPRA”).

1. Key Definitions under the CCPA and CPRA

For purposes of this Addendum, the term “personal information” includes “sensitive personal information” such as social security number, driver license number, state identification card, passport number, financial data, genetic data, biometric data, precise geolocation, and racial and ethnic origin, content of consumer communications (email, mail, or text) unless the business is the intended recipient, genetic data, and information collected concerning a consumer’s health, sex life, or sexual orientation.commission or alleged commission of crime or related proceedings, and/or financial information. Any terms used but not defined herein have the meanings assigned to them under the CPRA.

In any event, under the CPRA, personal information (including sensitive personal information) generally does not include (i) publicly available information from government or other publicly available records, (ii) de-identified or aggregated information, or (iii) any other information excluded under applicable law.

2. Your Privacy Rights

As of January 1, 2023, the CPRA provides California residents (referred to as “you” herein) with specific rights regarding their personal information, subject to certain legal limitations and exceptions. The existing and new rights available to California job applicants include the following:

  • Right to know what categories of personal information being collected or that an employer holds about you. Specifically, you have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months (the “right to know”). In response to your verified request, we will disclose to you:
    1. The categories of personal information we collected about you;
    2. The specific pieces of personal information we collected about you;
    3. The categories of sources from which we collected personal information about you;
    4. The purpose(s) for which we use that personal information; The categories of third parties with whom we share that personal information, including identifying the personal information categories that each category of recipient obtained; and
    5. The categories of information that the business sells or discloses to third parties.
  • Right to access the personal information collected by a business about the person, in a portable and usable format,
  • Right to delete personal information (subject to certain exceptions, including to comply with a legal obligation),
  • Right to correct inaccurate personal information maintained by the employer,
  • Right to know what personal information is sold or shared with third parties (i.e., disclosure for monetary or other compensation where there is not a written agreement restricting the other party's use of the data),
  • Right to opt-out of sale or sharing of personal information,
  • Right to limit use and disclosure of sensitive personal information to specific business purposes or limited disclosures, and
  • Right to no retaliation following opt-out or exercise of their CPRA rights.

If we receive a request from a job applicant to exercise one of the above rights, we will be required to honor the request within 45 days (which may be extended for up to an additional 45 days under certain circumstances), unless an exception applies.

3. Categories of Personal Information We Collect

This section sets forth the categories of “personal information” (as such terms are defined under the CPRA) that we may collect about you when you inquire about and/or apply for employment at Palo Alto Networks.

In particular, we have collected the following categories of personal information in the preceding twelve (12) months from one or more job candidates for the purposes identified below:

1. Personal Information

Personal Information Category Business Purpose(s)
Identifiers
(including name or alias, home address, telephone number, or email address)		 Used to process and manage interactions and transactions with job applicants, service providers, contractors, and third parties; provide and perform marketing and support; maintain security of personnel and company and employee property and facilities; perform human resource functions and employment training; fulfill legal obligations of the company; and manage employment and administer benefits.
California Customer Records Statute
(including signature, education, employment history, bank account number, or any other financial information, medical information, or health insurance information, etc.)

Note: Some personal Information included in this category may overlap with other categories.		 Used to implement diversity and inclusion programs and to comply with applicable laws; perform human resource functions, including hiring and interviewing job candidates; and manage employment and administer benefits and payroll.
Protected classification characteristics under California or federal law
(such as race, national origin, religion, gender, age, sexual orientation, medical conditions, citizenship, disability, military or veteran status, request for family and medical care leave, and request for pregnancy disability leave)		 Used to implement and improve our diversity and inclusion programs and to comply with applicable laws, such as the reporting requirements of the Federal Equal Employment Opportunity Act; to perform human resource functions; and manage employment and administer benefits, reasonable accommodations, and leaves of absence.
Commercial information
(such as records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies)		 Used to process and manage interactions and transactions with customers, service providers, contractors, and third parties; and provide and perform products and services and related marketing and support.
Biometric information
(such as voice recordings or keystrokes)		 Used to conduct research for the purpose of reviewing and improving products and services and associated marketing and customer support; and to conduct employment-related training.
Internet or other similar network activity
(such as browsing or search history)		 Used to protect the Company, customer, and employee property, equipment, and confidential information; monitor employee performance; and enforce the Company's electronic communications acceptable use and code of conduct policies; manage internal investigations and whistleblower programs; and enforce the company’s legal rights.
Geolocation data
(such as the location of company-issued laptops, mobile phones, device location)		 Used to protect the Company, customer, and employee property, equipment, and confidential information; monitor employee performance; and enforce the Company's electronic communications acceptable use and code of conduct policies; manage internal investigations; and exercise the company’s legal rights.
Sensory data
(such as audio, electric, visual, thermal, olfactory, or similar information)		 Used to protect the Company, customer, and employee property, equipment, and confidential information; enforce the Company's electronic communications acceptable use and code of conduct policies; manage internal investigations; and exercise the company’s legal rights.
Professional or employment-related information
(such as work history, prior employer, human resources data, and data necessary for administering benefits and related administrative services)		 Used to establish, manage, or terminate the employment relationship or manage the post-employment relationship, administer health and Workers’ Compensation insurance programs; and comply with applicable laws.
Non-public education information
(such as Non-publicly available educational information as defined under the Family Educational Rights and Privacy Act (FERPA) and related regulations, such as a grade point average, report card, and school transcript)		 Used to the extent that educational information is relevant to interviewing and hiring qualifications for employees, interns, and contractors and as may be necessary for a tuition reimbursement program.
Inferences drawn from other personal information
(when used to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes)		 To administer, provide access to, monitor, and secure our information technology systems, websites, applications, databases, and devices; to comply with legal and regulatory obligations.

2. Sensitive Personal Information

We do not collect or process sensitive personal information or characteristics of protected classifications for the purpose of inferring characteristics about job applicants.

4. We Do Not Sell or Share Your Personal Information

We do not sell (as that term is defined under the California Privacy Rights Act (CPRA)) your personal information to third parties. This means that we do not sell, rent, share, or otherwise disclose your personal information to third parties in exchange for monetary or other valuable consideration.

5. Disclosure of Personal Information for a Business Purpose

We may share your personal information by disclosing it to a third party for a business purpose. We only make these business purpose disclosures under written contracts that describe the purposes, require the recipient to keep the personal information confidential, and prohibit using the disclosed information for any purpose except performing the contract.

During the past 12 months, we have disclosed for our business purposes the categories of personal information listed above to the following categories of third parties:

  • affiliates and subsidiaries;
  • Service Providers;
  • with third parties at your direction or that are required by law or legal process;
  • professional advisors;
  • entities to which you have consented to the disclosure; and/or
  • to the public if you choose to make such information available.

 

Get the latest news, invites to events, and threat alerts