Typeform reported a data breach on June 29 that is impacting organizations and users of the company’s surveys-as-a-service platform.
Typeform’s platform enables organizations to conduct online surveys, polls and quizzes to gain insight about end users. The platform also collects data on end users, including names and contact information. According to Typeform, payment information including credit card details were not compromised in the incident.
“On June 27, 2018, our engineering team became aware that an unknown third party gained access to our server and downloaded certain information,” Typeform stated in an advisory. “As a result of this breach, some data was compromised. We responded immediately and fixed the source of the breach to prevent any further intrusion.”
According to Typeform, the breached data came from a partial backup of data from its systems dated May 3. Typeform has not publicly revealed the source of the vulnerability, though it claims to have remediated the root cause.
“We have immediately initiated a comprehensive review of our system security and have identified the source of the breach and have addressed that security vulnerability,” Typeform stated. “As a data collection company, maintaining the security and privacy of our customers’ data is our top priority. We will continue to take significant measures to prevent this type of situation from happening in the future, including a full-scale review of our security.”
Impact Could Be Widespread
The impact of the Typeform breach could be widespread as the company’s surveys are widely used across the internet. Among the organizations that have already reported being part of the breach are hotel chain Travelodge and Monzo Bank, though there are likely other organizations that have yet to publicly disclose their exposure.
“Typeform is a third party data services company which provides a platform to send customer surveys and competitions on behalf of many companies worldwide, including Travelodge,” Travelodge stated in an advisory. “They have reported to us a data security incident which has affected data they hold about you.”
This is the second breach in June that exposed third-party vendor supply chain risks. On June 27, event ticket vendor Ticketmaster disclosed that it was the victim of a data breach that was initially blamed on customer support widget supplier Inbenta. An investigation by Inbenta revealed that the data breach was due to a single piece of JavaScript code that was customized by Inbenta to meet Ticketmaster’s particular requirements.
“Ticketmaster directly applied the script to its payments page, without notifying our team,” Jordi Torras, CEO of Inbenta, wrote in an open letter. “Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability.”
In April, multiple organizations were impacted by a data breach at third-party chat widget providers [24]7.ai. Among the organizations that publicly disclosed that they were part of the breach were Best Buy, Sears and Delta.
The simple fact is that organizations of all sizes use code snippets, widgets and surveys from a variety of third-party sources. Collectively, all those third-party sources represent supply chain risk to organizations, providing attackers with a potential attack vector.
Attackers are usually opportunistic and will attack the weakest link, whether it’s code written by an organization itself or something that comes from a supplier. When organizations are looking at cyber-security risk, it’s critically important to understand all sources of code and technology that are being used because that’s what attackers do. Mitigating cyber-risk begins with understanding all sources of risk, regardless of the source, and then taking steps to limit exposure.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.