What caused the Typeform data breach and what Plum did about it.

All bank account information and money is safe, for all Plum customers.

What is the breach?

This weekend we were notified by Typeform, a company that we use to build online surveys, that there has been a data breach. This breach did not only affect Plum, but other companies who use Typeform.

An initial investigation shows that 98 users were affected by this breach. A deeper dive into the type of information affected shows that the data compromised is limited to contact information, primarily email addresses, but in some cases, phone numbers and names (first names mostly).

We can assure you that no personal information related to funds, bank account details or login credentials has been compromised.

We do not and will not ask for information regarding your bank account details over Typeform, or any other third party survey tool. Plum uses surveys purely to gather feedback on new product features for instance, so that we can make Plum better for you.

The customers affected by this breach have been contacted, with a full overview of the breach as well as a breakdown of their personal data compromised.

If you don’t receive an email from us today, then you don’t have anything to worry about.

Why did the breach occur?

Cyber attackers found a weakness in Typeform’s security practices. Attackers gained access to data backups for surveys shared before May 3rd 2018. Those backups contained the responses to surveys, including the data we mentioned above.

What are we doing about this?

At the moment, we’re making sure that any affected customers get the support they need. Everybody affected has already been contacted, but we extend our support to anybody who may have concerns or questions.

On top of this, we’ll be letting the ICO (Information Commissioner’s Office) know about the breach.

Internally, we will also be conducting a full review of the partners we use for surveys and feedback forms; this will most likely result in moving away from third parties and building an internal tool to collect feedback from within the bot. In the meantime, to minimise risk, we’ll remove all survey data from any provider within one month of the survey.

To all those affected by the breach, we’re sorry.

Whilst we do our best as a business to make sure your personal information is as secure as it can possibly be, unfortunately we were unable to prevent this incident. However, we’re making sure that we learn from this, and take any necessary actions to prevent something of a similar nature going forward.

If we receive more information from Typeform about the breach, we’ll be sure to share it with those affected, as well as the wider Plum community. In the meantime, we’ll be tightening things up on our end and you can read more from Typeform about the incident itself here.

Full Breakdown of the Data Breached

typeform-1

What’s next?

Any affected Plum customer will have been emailed by us already. However, if you’re concerned about the breach, or have a question about how Plum strives to keep your data safe, feel free to reach out to a member of the team on security@withplum.com.