Typeform Data breach: What you need to know

We were notified on 29th June at 21:19 that Typeform, a company we’ve used to collect survey results in the past, has suffered a data breach.

We were notified on 29th June at 21:19 that Typeform, a company we’ve used to collect survey results in the past, has suffered a data breach. Typeform reported that an external attacker managed to get unauthorized access to respondent data and downloaded it. They identified the breach at 14:00 CET (Central Europe Daylight Time) on June 27th, and remedied the apparent cause of the breach at 14:30 CET on June 27th.

Our initial investigation into this matter suggests that some personal data of 304 people that have filled in our surveys in the past are included in the breach.

For the vast majority, the data taken included their survey results along with an email address. For a much smaller proportion, this also included other data such as their name, postal address or postcode.

We’ve published a full breakdown at the bottom of this post for your information.

We’re going to inform all those affected that we hold contact details for. In some of our surveys, it was optional to provide a method of contact; therefore, in some cases, this means there are some people we are unable to contact as we have no way to inform the respondent.

For those that we can contact, we’ll let you know what information may have been compromised, what you should do, and what we’re doing to fix it — we recommend that you watch out for potential phishing scams, or spam emails.

Why did this happen?

This happened because attackers found a weakness in Typeform’s security.
Attackers managed to gain access to data backups for surveys conducted before 3rd May 2018. Those backups contained the responses to surveys.

Our plan of action

• We started investigating thoroughly on Saturday 30 June and the Clerk and Chairman have agreed on a plan of action.
• The Clerk informed the Information Commissioner’s Office on 30 June 2018 within the 72-hour deadline imposed, and the Chairman will ensure this update is posted publicly online on 1 July, in consultation with members of the Communications Committee.
• All those affected that we hold personal contact details for will be informed as soon as practically possible, but certainly before Friday 6 July (where we have a form of contact details).
• We’ll also be scheduling an Extraordinary Meeting of the Communications Committee on Friday 6 July to discuss the data breach and critically, review how to mitigate this happening again and potentially ending our relationship with Typeform. We will also agree on what actions we can take to inform those affected which we do not hold contact details for.

Unfortunately, we can’t ever guarantee that something like this won’t happen again, but we’re doing everything we can to protect your data. If we get more information on the Typeform breach, we’ll be sure to give you a more thorough update soon. If you want to read more about the breach, Typeform have published information here: https://www.typeform.com/data-breach-june-2018

A full breakdown of data breached

• Neighbourhood Plan Fact-Finding survey (preliminary questionnaire regarding the Neighbourhood Plan carried out between June-August 2016. Data breached includes 220 postcodes, 145 email addresses and 13 postal addresses)
• Shavington’s Questionnaire for Businesses (As part of the Neighbourhood Plan preparation in November 2016. Data breached includes 10 home addresses, 6 trading addresses and 9 registered addresses)
• Shavington’s Questionnaire for Teenagers (As part of the Neighbourhood Plan preparation in November 2016. Data breached includes 11 postcodes)
• PCSOs (As part of the consultation on how many PCSOs the Parish Council should fund, carried out in September 2017. Data breached includes 43 names and 63 postcodes)
• Shavington History (Used to collect snippets of the history of Shavington. No personal data affected.)

The following surveys we have conducted in the past were NOT affected:

• Shavington-cum-Gresty Events (survey used to collect events from 2018 onwards)
• Shavington-cum-Gresty Events: 2017 (survey used to collect events during 2017)
• Shavington's Questionnaire for Children (online submissions for the Neighbourhood Plan preparation in November 2016)
• Shavington’s Questionnaire for Adults (online submissions for the large Neighbourhood Plan questionnaire in November 2016)
• Manual Entry: Adult Questionnaire (manually inputted data from paper copies of Neighbourhood Plan questionnaires in November 2016)

If you have any further questions at this stage, you can contact the Clerk to the Shavington-cum-Gresty Parish Council.