There have been several high profile reports of data breaches recently, including Ticketmaster, Thomas Cook and Harvey Norman. Harvey Norman attributed their reported breach to a third party and issued the following statement detailing the provider –
“We wish to alert you to a data breach that has occurred in the systems of a third-party website service provider, Typeform, which has resulted in the unauthorized access to some Harvey Norman data”.
While Harvey Norman did comply with the data breach reporting requirement of the GDPR by meeting its 72-hour deadline, there are still lessons to be learned from the incident.
As a Data Controller, you are responsible for your Third-Party Processors
Typeform provides online survey and other data collection services to tens of thousands of clients. Featured on the customer page of their website are Forbes, Trello, HubSpot, Indiegogo and Freshdesk. Two weeks ago, Typeform discovered a major breach and many of its clients were impacted as a result. By extension, it is suspected that a large amount of personal data has been accessed.
The Typeform breach is a nasty one. Many of the organisations that use their services collect sensitive data through the customisable forms Typeform provides; utilising the service to gather all manner of personal information via surveys, orders and lead generation forms. One client, Ocean Protocol, reported that “the hackers accessed the data that contributors submitted to fulfil Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements. Typeform has confirmed that the data was stored in an unencrypted manner which means that the data is accessible.”
Read our full article here
To register for our webinar on Vendor Due Diligence on Thursday 26th July @ 10.30am click here