Typeform Data Breach Has Potential For Severe Ripple Effect

by David Pumphrey

On June 27, Typeform, a company that provides an online form platform and data collection for its customers, has reported a data breach. They expressed in the statement that an unauthorized attacker gained access to their servers and conducted a partially download of data customers collected prior to May 3. The download was of a backup that was dated May 3. Typeform direct customer information was not compromised, other than email address. 

So where does the ripple effect occur? The stolen data is the information submitted into forms created by the customers. A customer can ask any type of question on a form and as long as their audience submits the answer, that data is saved on Typeform's servers. Let's say a customer creates a form that asks for social security number, billing address, credit card number, health data and the list goes on. Though Typeform's sensitive information was not compromised, the audience of their customers has been. 

The list of companies continue to grow that have notified customers they're affected by the Typeform data breach. One victim has publicly claimed the breached backup data was unencrypted. An example of a company that expressed the worst concern so far, Ocean Protocol, a service that allows data to be shared and sold for productivity. In their data breach statement they wrote,

"TypeForm has confirmed that the data was stored in an unencrypted manner which means that the data is accessible. Information that the hackers downloaded includes email, birthdate, place of birth, ID number, nationality, wallet address, and for our US participants, SSN."

Ocean Protocol had 167 contributors compromised. 

Digital banking company Revolut said it's affected, but in the main, the only exposure was e-mail addresses and possibly Twitter handles. “For a smaller number of people, it was pre registration details for our business product”, the post added.

PostShift said only 230 of its customers were impacted, because only one public-facing survey was hosted on Typeform.

Shavington-cum-Gresty Parish Council said only 304 of its citizens were breached, but most of those only had their e-mail address leak (in a few cases, name, postal address and postcode were included). The post added that the council will consider ending its relationship with Typeform at a July 6 communications committee meeting.

The Australian Republican Movement is also reviewing its use of Typeform.

Australian bakery chain Bakers Delight told Australian publication IT News the breach affected a customer competition, “Win a Decor Pack”.

Typeform wrote that they performed a full forensic investigation of the incident to be certain this breach can not happen again and the risk of reoccurrence is deemed low. They also sent an email template that their customers can send to their audiences. 

The question now is, where does the penalty of injury ultimately lie: on the companies that gathered the sensitive information on Typeform's servers or Typeform itself for the breach of their unencrypted server? This is definitely one to watch.

Feel free to leave a comment and provide your insight on cybersecurity.