Brands are being urged to carry out rigorous checks on their third-party suppliers after Fortnum & Mason and digital start-up bank Monzo became the latest victims of a data breach as hackers accessed a Spanish survey company which also has scores of other, high-profile clients.
Typeform, a Barcelona-based software as a service company specialises in online form building and online surveys. It software has been used by Apple, Airbnb, Uber and Nike, although it is not known whether any other brands – apart from Fortnums and Monzo – have been affected.
Fortnums released a statement saying around 23,000 customers who had entered a competition organised by Typeform had had their email addresses exposed to the hackers. The retailer said the hacker also managed to gain data including address, contact number and social media account details from a “smaller proportion” of customers. No bank, payment or passwords have been exposed and all customers have been notified, the retailer insisted.
A Fortnums spokesperson said: “There has been no breach of our website or database, and all data which we hold is unaffected by this breach. We have disabled any and all Typeform forms existing on our website and will not work with Typeform until we are assured that; there is no further risk, that all our data has been removed from their servers and that their security measures have been improved. We have been informed that Typeform have fixed the root cause and are undertaking forensic investigations.”
Meanwhile, around 20,000 Monzo customers had also been affected.
The digital bank has reported that 19,213 email addresses had been exposed, while other data – including postcode and name of previous bank and Twitter username – is also under threat. Hundreds of customers have also had details of their salaries, employment and university compromised.
The bank said all customers had been informed and it has terminated its work with Typeform. It also said it would remove all survey data from any third-party provider within two months of a survey in the future.
Monzo chief exrcutive Tom Blomfield said: “To everyone affected, I’m very sorry. Unfortunately, we can’t ever guarantee that something like this won’t happen, but we’re doing everything we can to protect your data and we’ll learn from this incident.”
He added: “If we get more information on the breach, we’ll give a more thorough update in the near future. Until then, we’ll be working hard to minimise the impact on the people involved and we will ensure that no customer is left out-of-pocket as a result of this breach.”
Ticketmaster breach: ‘We’ve complied fully with GDPR’
Dixons Carphone pummelled as hackers strike again
Carphone Warehouse rocked by £400,000 ICO data fine
Scammers access Virgin Media data for phishing attack
TalkTalk fined £100,000 over India call centre failings
25 million UK adults in the dark over theft of their data
Stephen Fry on alert as toffs’ data is stolen from club
Uber faces long arm of the law over 64m data breach