Barcelona-based Typeform suffered a breach when an unknown third party accessed one of its servers and downloaded data. While the breach’s impact on the company's reputation cannot be fully measured yet, Monzo announced that it has ended its relationship with Typeform.
On 27 June 2018, Typeform announced that an unidentified attacker reportedly downloaded a partial backup file. The file reportedly contained sensitive information on customers who had completed online forms before 3 May 2018. Any information collected after 3 May was not compromised. Those customers who were affected by the breach were informed via email by Typeform.
In its media alert, Monzo wrote, “Some personal data of about 20,000 people is likely to have been included in the [Typeform] breach. For the vast majority of people, this was just their email address. For a much smaller proportion of others, this may have included other data like their Twitter username or postcode.”
Even though Typeform said it responded immediately by fixing the source and preventing any further intrusion, the breach has already cost the company one customer.
“We have since been performing a full forensic investigation of the incident to be certain that this cannot happen again. The risk of reoccurrence is now deemed low enough to send out this communication,” the company wrote.
The company also confirmed that no bank details have been affected and that payment details, passwords and any customer subscription payment information remain safe. Additionally, any payment information that customers collected using Typeform’s Stripe integration has been deemed safe.
The breach has also created a potential problem for the Tasmanian Electoral Commission (TEC), which has used Typeform’s online forms for some of its election services. As the days unfold, electors will be contacted, but TEC added that the breach has no connection to the national or state electoral roll.
TEC publicly announced the breach in a 30 June media release, reporting that “Whilst some of the stolen elector data captured in some of these forms has already been made public, such as candidate statements for a local government by-election, it is believed that the breach also captured name, address, email and date of birth information provided by electors when applying for an express vote at the recent State and Legislative Council elections.”