Typeform Breach: Unencrypted Backup PilferedExposed Personal Data Comes From Completed Survey Responses
A growing number of companies are sending notification emails about a data breach at Typeform, a software-as-a-service platform for distributing and managing surveys, questionnaires and competitions.
Typeform, based in Barcelona, says it discovered June 27 that an attacker downloaded survey responses and personal data from a backup. The company says it has "identified the vulnerability and implemented measures to prevent this type of attack" again in the future.
"We have since been performing a full forensic investigation of the incident to be certain that this cannot happen again," it says. "The risk of reoccurrence is now deemed low enough to send out this communication."
Late Monday, Typeform provided more detail on the incident via one of its corporate Twitter accounts.
"At the time Typeform fell victim to this attack, it was in the process of completing a test of certain functionalities using the partial unencrypted backup," Typeform Help writes. "The hacker was able to access this specific information at this time."
Very understandable question. At the time Typeform fell victim to this attack, it was in the process of completing a test of certain functionalities using the partial unencrypted backup. The hacker was able to access this specific information at this time.— Typeform Help (@typeformhelp) July 2, 2018
Any breach of a widely used third-party service can have a significant knock-on effect, as it requires clients of the service to notify their own users of a breach. Such notifications can also be confusing: users may have not heard of the third party whose service is integrated into a website or used for email marketing.
Typeform notified its clients about its breach, and they are now sending emails to their customers. The data exposed was contained in surveys conducted prior to May 3.
Under Europe's General Data Protection Regulation, Typeform would be required to notify relevant authorities within 72 hours of discovering or learning about a breach. Those authorities might then instruct Typeform to work with law enforcement agencies and notify affected consumers (see GDPR Enforcement Deadline: If You Blew It, What's Next?).
Typeform clients that have sent notifications so far include the U.K.'s Travelodge, online-only bank Monzo, upscale retailer Fortnum & Mason and in Australia, the Tasmanian Electoral Commission.
The exposed data varies by Typeform client. Monzo bank says 19,213 people had their email address exposed, 1,600 had their post code and name of their old bank exposed and 1,434 others had their Twitter user handle and email address exposed.
Monzo says other, smaller groups of people had different combinations of data exposed, including email address and university (908 people); name, email address, city, age band and salary band (191); name, email address and employer (53); and name and email address (7).
No funds are at risk, Monzo says. The bank also plans to report its actions to the U.K. Information Commissioner's Office, which enforces the country's privacy laws. Monzo is also ceasing to do business with Typeform, "at least until they can prove they've improved their security, and have deleted all customer data from their servers," writes CEO Tom Blomfield.
"In [the] future, to reduce the chance of similar incidents, we'll remove all survey data from any provider within two months of the survey," Blomfield writes.
The Tasmanian Electoral Commission says around 4,000 electors who applied to vote by mail or fax were affected by the breach. Those affected had applied for express voting for this year's Legislative Council and state elections, the ABC reported.
"The Electoral Commission will be contacting electors that used these services in the coming days to inform them of the breach," the TEC says on its website. "The Electoral Commission apologies for the breach and will re-evaluate its collection procedures and internal security elements around its storage of electoral information for future events."
The data exposed includes names, birth dates, email addresses and physical addresses. The information was collected from five Typeform forms that were on the TEC's website. The TEC has used Typeform since 2015.
Travelodge says the breach affected eight competitions, survey and offers it administered since August 2017.
"The information could have included your name, email address, mobile phone number, date of birth and/or gender and your email will specifically detail which information you provided," Travelodge says in an advisory.