
The list of customers affected by the Typeform data breach has grown in the past week. So has the number of personal records exposed. This article aims to collect all of this data in one location.
What is Typeform?
Typeform conducts customer surveys and quizzes for other companies using their service. The web-based platform allows customers to create surveys, forms, and questionnaires. This capability can be a great asset to firms, giving them additional visibility into their target audiences, but it can also be a huge liability, as we have seen with the recent data breach.
What is the Typeform data breach?
Typeform’s customers are other businesses that might use the surveys for customer service requests, customer feedback or other online surveys to collect data.
Typeform explained in their statement that the attackers may have found a weakness in their security. This enabled them to gain access to data backups for surveys conducted before May 3rd, 2018. Ocean Protocol and Rencore have claimed that the breached backup data was unencrypted. This raises obvious questions. Why was data stored in an unencrypted form? How was the backup accessible to an attacker in the first place?
In the wake of the Typeform data breach, clients large and small were explaining this loss of privacy to their users. Companies reached out to their users apologizing for the risk, and talking about remediation efforts.
New company identified
Another firm affected by the Typeform data breach was Kano Computing. Kano allows its customers to build their own computer with its computer kits. Kano Computing has not yet received press coverage over the incident, although they acknowledged the breach on their website.
The breach affected around 1,700 Kano Computing users. Users’ full names, shipping addresses, and email addresses were a part of that breach. The company sent out an email – like other firms, it clearly delineated the extent of the data breach:
“We have reason to believe your full name, shipping address, and email address were part of that breach as a result of you filling in a form … relating to your Kano kit. No credit card or payment information has been compromised.”
A table on the Kano website highlights how many customers had different pieces of data exposed.
List of companies affected
The Typeform data breach has compromised over 100,000 records. This count does not include the companies whose breached record count remains unknown.
It is still unclear how long the list of companies affected is. The exposed data varies, depending on the Typeform clients in question.
For example, Ocean Protocol reported that the hackers downloaded information that includes user’s email address, date of birth, place of birth, wallet address, ID number, nationality, and for U.S. participants, SSN. Monzo also sent out emails to its customers informing them about the compromised names, email addresses, city, age band, salary band, employer names, bank names, Twitter usernames, and postal codes. Below is a list of companies that were affected by the breach:

Third-party vendor risk
The Typeform attack highlights one of the major trends in corporate cybersecurity, which is that of risk from third-party suppliers. Often these suppliers are unable to be fully vetted. Companies take the word of the suppliers on their security. Managing hundreds or thousands of suppliers can be a difficult challenge, especially since any one of them could be a source of a cybersecurity incident.

The Role of GDPR and Mandatory Reporting
One of the interesting aspects of this data breach case is the speed and transparency with which information has been shared.
The European General Data Protection Regulation (GDPR) went into effect in May. It made a lot of headlines before implementation, because it put previously unprecedented requirements on companies regarding breach notification and general user privacy. It is having a vast effect far beyond the E.U., where it is the law of the land.
Thanks to globalization, more IT or business chains involve a European link. This means that end users will benefit from the full protection of the European law. In fact, customers of some U.S. Companies that relied on Typeform for surveys might not have heard about the issue as quickly or as fully, if those companies had not been located within Europe. GDPR is helping to create greater worldwide transparency in regards to people’s personal data security.
What’s next?
Fractional CISO helps companies to manage their third-party vendor risk and develop, maintain and manage their incident response capability, and assists companies in complying with GDPR and other regulations. Contact us for help in these areas or to assist with the creation and management of your cybersecurity program.