Breach, Threat Management, Data Security

Typeform breach exposes survey data collected for Tasmanian Electoral Commission, Fortnum & Mason, Monzo

A digital bank, a high-end goods merchant, and an Australian voting agency are among the first known casualties of a data breach affecting the third-party online survey provider Typeform.

Barcelona, Spain-based Typeform disclosed online last week that an unidentified, unauthorized individual accessed and downloaded a partial data back-up file that was stored on a company server.

UK-based mobile banking company Monzo, which came forward as a victim, said in its own statement that the compromised data consists of responses to past surveys. In this case, the breach may have varying levels of severity for clients, depending on the types of survey questions they previously asked.

In an FAQ, Typeform notes that the breach involves certain data that was collected up until May 3, 2018, but not after. Typeform says the breach itself was detected on June 27 and that the system flaw that allowed the intruder to gain access was remedied within a half-hour of the incident's discovery.

The full scope of the breach is not yet known. Just as Typeform has been sending emails to affected parties, its various third-party clients have likewise been reaching out their customers.

In its own separate June 29 disclosure, Monzo revealed that roughly 20,000 of its banking customers were affected. Most had only their email addresses stolen. However, other purloined data included names, cities, age ranges and salary ranges, employers, universities, postcodes and names of customers' previous banks, and Twitter usernames.

Monzo says that it has "ended our contract with Typeform, at least until they can prove they've improved their security, and have deleted all customer data from their servers." Additionally, the bank will "remove all survey data from any provider within two months of the survey" to prevent similar problems in the future.

Meanwhile, outlets including The Independent have reported that U.K. luxury retailer Fortnum & Mason has acknowledged that the breach affected 23,000 of its own customers who filled out surveys or took part in an online competition. Email addresses were most commonly compromised, but in a smaller number of cases, so were addresses, phone numbers and social media handles.

In Australia, the Tasmanian Electoral Commission noted in its own online statement that the unauthorized intruder accessed data gleaned from five different Typeform forms on its website -- including names, addresses, emails, and birth dates provided by individuals who applied for an express vote at the recent State and Legislative Council elections.

Though incident response web page does not indicate what exact information was stolen from its clients, Typeform does note that their subscription payment information (including credit card numbers) and Typeform passwords are safe. Moreover, if clients used Typeform's Stripe integration to collect their customers payment information, that data is also untouched.

In response to the incident, Typeform says that it immediately launched a full-scale review of its system security measures, and plans to scale its security team moving forward.

"In the short term, we brought in forensic security experts who have helped us review the breach, and are helping us look into all other aspects where we can improve the security of our platform," the FAQ states. "Regarding this specific incident, we've identified the vulnerability and implemented measures to prevent this type of attack."

The company also recommends that clients warn their customers of potential phishing scams or spam emails that seek to leverage their stolen information.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.