Within a month of each other, two third-party data breaches one at PageUp and another at Typeform have impacted a multitude of businesses and thousands of individuals.

Both companies offer third-party services to larger organisations. Businesses are coming forward to notify their customers and clients that their data has been compromised.

The source of the breach may be a result of a third-party vulnerability but the businesses impacted by using these third-party services are still responsible for the data that they entrust to those services and third-party companies. So, suddenly many more businesses are having to acknowledge that they too have suffered a breach and that their customers’ data is at risk

The Typeform Breach

On the 27 June Typeform, a Spanish company offering services for online forms and surveys, suffered a security breach when a backup file was stolen from its servers, compromising the data collected by its customers (the growing list of victims you’ll soon discover).

Typeform states on its website that within half an hour of realising the cause of the breach it had fixed it. The compromised file stored names, email addresses and other pieces of information submitted by users through Typeform forms.

Typeform failed to mention (at the time) that the data was not encrypted, but now at least one company has publicly announced that the breached data was not encrypted. Ocean Protocol, a customer of Typeform, announced that Typeform had confirmed that the data was stored in an unencrypted manner making the data accessible.

At the time of the incident, certain companies were highlighted as possible victims. A number of other companies continue to come forward acknowledging that they’ve been hit by the breach.

Businesses affected include:

Hotel Chain Travelodge

Travelodge has notified those affected that their personal information including first name, date of birth, mobile number and email address have been acquired by an unauthorised third party as a result of the Typeform breach and have advised them to stay vigilant as the details may be used fraudulently.

UK’s Liberal Democrats

The political party notified its supporters that its ‘Membership Experience Survey’ had been exposed and stated:

“This survey contained your name and email address, so please watch out for potential phishing scams or spam emails. This survey also contained information about your political opinions, such as the campaigns and policy areas most important to you.”


Monzo (a start-up bank), that recently disclosed details about the Ticketmaster breach, has also had personal information of 20,000 of its customers stolen as a result of the Typeform breach. Information includes email addresses, postcodes and names of banks previously used.

Tom Blomfield, Monzo CEO, said:

At the moment, we’re focused on letting affected customers know what’s happening, and we’re informing the Information Commissioner’s Office as soon as possible.”

He added, “We’re also ending our contract with Typeform, at least until they can prove they’ve improved their security, and have deleted all customer data from their servers. In future, to reduce the chance of similar incidents, we’ll remove all survey data from any provider within two months of the survey.”

Fortum & Mason

Thousands of Fortum & Mason customers’ data has been stolen, including email addresses, physical addresses, phone numbers and social handles as a result of the Typeform breach. Fortum and Mason has said that 23,000 people who filled out a survey or took part in an online competition have been affected.

Ocean Protocol

The data platform confirmed that information including email address, date of birth, place of birth, ID number, nationality, wallet address, scans of identity documents, proof of residence, proof of accreditation and SSN of US members have been compromised

Ocean Protocol is offering credit monitoring to affected customers and has notified its customers that the data was not encrypted.


Revolut (digital banking company) said that email addresses, possibly Twitter handles and pre-registration details were exposed.


The digital transformation software company has confirmed that 230 of its customers have been affected through a public-facing survey hosted on Typeform.

Shavington-cum-Gresty Parish Council

The English council said that 304 of its citizens were breached. Mainly email addresses were leaked and possibly some individuals’ names, postal addresses and postcodes.

Bakers Delight

The Australian bakery chain has confirmed that the breach has affected a customer competition that they ran called “Win a Decor Pack”.

Across the globe, many businesses have been affected and the list keeps on growing…

The breadth of third-party breaches quickly becomes evident

Unfortunately, third-party breaches like this are becoming more frequent and commonplace.

A month ago, Australian company PageUp announced a suspected data breach that potentially put the personal details of thousands at risk.

The cloud-based HR software provider discovered suspicious activity on its system on the 23rd of May 2018 and after an investigation confirmed an incident had occurred and that client data had potentially been compromised.

As with the Typeform breach the list of victims grows.

Costa Coffee and Premier Inn, both PageUp clients, have now announced that they too have been caught up in the PageUp breach.

The personal details of Costa Coffee and Premier Inn current and prospective employees were stolen as a result of the data breach of Whitbread, Bedfordshire-headquartered multinational organisation, that has 50,000 UK staff across its brand and is run by PageUp.

Personal information including name, email address, physical address, telephone number and employment information has been compromised.

Whitbread wrote to those affected saying:

“At Whitbread we take protecting your data very seriously and we are very sorry that this has happened. We choose our partner organisations very carefully and take every possible step to ensure your data is always kept secure. We value all our job applicants and we want to repeat that we are very sorry that this has happened.”

This highlights the urgent requirement for better data security across the board

It’s so important that an organisation’s security and data protection policies extend beyond their own internal business. Organisations need to consider the bigger picture.  The entirety of the supply chain. If a business has third-party partners and uses third-party services (which the majority do) it’s very important that their security is fit for purpose too, if not, they will be the weak link in your security.

It may be that a business believes it is doing what is needed (internally) to keep the business secure but without looking at the whole supply chain (investigating what others are doing and not doing) vulnerabilities will persist.

The whole supply chain needs to be investigated for gaps in security to avoid such breaches.

In many of these cases, businesses thought that they were secure and all it took was a vulnerability of a third-party supplier or service to involve them in the breach. A multitude of businesses, across all sectors and geographies, can be affected in no time at all. It’s a domino effect!

Although in these instances banking details are not believed to have been compromised, the personal data stolen can be used maliciously in so many ways including phishing attacks as well as identity theft.

If the data were encrypted this vast impact could easily have been avoided.


News Source: The Register, The Hacker News, Databreaches.net