Bakers Delight warns comp entrants after Typeform breach

Bakers Delight is the latest Australian company to notify customers of potential exposure to the Typeform data breach.

Credit: Bakers Delight

The bakery operator confirmed to iTnews it had received an email from Typeform - a provider of hosted surveys - indicating some of its data “may” have been in a partial backup file accessed by attackers.

The email prompted an internal investigation by Bakers Delight and the result of that investigation saw the company notify customers that had entered one of its online competitions.

“Our investigations have shown that the form [Typeform] provided as part of our 'Win a Decor Pack' competition may have been affected,” Bakers Delight said in an advisory obtained by iTnews.

“It is possible your name and email address was accessed as part of this breach so as a precaution, we recommend you watch out for potential phishing scams, or spam emails.”

The Tasmanian Electoral Commission (TEC) was the first Australian organisation to say it had been caught out by Typeform’s data breach over the weekend.

TEC’s position is more precarious as it involves the potential loss of details of constituents that had registered to cast email or fax-based votes in local elections.

The Australian Republican Movement (ARM) has also confirmed exposure to the Typeform breach.

"Typeform informed the Australian Republic Movement that we are among their clients whose data was partially compromised as part of a recent breach," it said in a statement.

"Some ARM supporters were among those affected by this breach.

"We chose a leading provider for the form service and the breach that's occurred is not acceptable to us."

Australian customers of Typeform have spent the week seeking answers and assurances from the company on whether or not they have been impacted by the data breach incident.

Insurer IAG is a small Typeform user through its relatively new Firemark Labs innovation incubator.

An IAG spokesperson said the company was trying to understand what - if any - exposure it might have had to the incident.

“We’ve used Typeform for some small web applications to date,” the spokesperson told iTnews.

“These have been part of pilot programs and initiatives so they’re not full scale products.

“We’re aware of [Typeform’s breach] and we’re dealing with it as a matter of priority.

"As part of that we’ve contacted Typeform directly and we’re also conducting an internal review as well because the safety and security of data and information is of the utmost importance to our business.”

IAG said it only had one Typeform-powered form live at the time of the breach. It said it had deactivated all links to Typeform as a precaution while it investigated the breach report.

Cautionary tales

The response to the Typeform breach shows it could end up bearing similarities with the recent incident experienced by fellow as-a-service provider, PageUp People.

When PageUp People notified of a potential data breach, its customers suspended their PageUp-powered careers sites as they sought to understand their exposure to the incident, out of an abundance of caution in many cases.

Though a handful of those customers still have their careers sites on hold, many have since renewed their use of PageUp services, particularly as it has emerged that the impact of that incident is likely to be limited.

Australia’s national security adviser Alastair MacGibbon last week criticised data breach notification laws for forcing providers like PageUp to disclose potential breaches well before they had time to properly evaluate them properly.

MacGibbon said PageUp had been “in a sense … victimised” by the laws - particularly those in the UK - which forced the company to “come out to the market earlier than logically they should have.”

Unlike PageUp, Typeform has confirmed data exfiltration took place. However, it is understood that only organisations that were directly emailed by Typeform are possibly impacted.

Despite this, Typeform’s disclosure appears to be sparking some proactive warning from organisations that use the software, even if direct exposure to the breach is unconfirmed.

Patreon, a popular service that lets people pay podcasters, bloggers and other creatives, caused some confusion on Tuesday afternoon when it warned users about data that was “potentially impacted”, including names and email addresses.

It later emerged the company had suffered no specific breach in relation to Typeform and had simply issued a general, proactive warning to alert end its end users.