Typeform’s Data Breach: The Dangers of Supply Chain Attacks
Spanish online survey company, Typeform, recently experienced a serious cyber-attack, resulting in hackers downloading a partial backup of its customer data. Typeform noticed the breach on 27th June and reported they had remedied the issue within 30 minutes of discovery, yet all survey responses passing through their online platform prior to May 3rd, 2018 could be at risk. This survey company’s breach shows how dangerous supply chain attacks can be.
Third Party Suppliers – What we know and what we don’t
Typeform is one of those companies that the majority of people won’t have heard of, but many will have used. Because of this, you might consider yourself safe from this breach, without realising that you’re at risk. Their online survey and quiz platform is widely used by companies for marketing purposes, running surveys and quizzes to gather data from their customers. If you have ever filled in an online survey or taken a quiz, there is a very good chance Typeform was behind the scenes. Each instance of a survey can collect data from hundreds of thousands of customers, meaning the scale of the breach is hard to quantify. Furthermore, and making matters worse, Typeform has been fairly vague about the scale of the data loss, rather they focused on reporting only what wasn’t stolen – business subscription payment information, platform username/password combinations and payments collected via Stripe integration are all not affected by this breach.
The extent of the problem doesn’t stop there, reporting this breach to consumers isn’t Typeform’s responsibility. Rather, it is the purview of the businesses using their platform to gather customer data. Typeform’s services are used all over the world and the companies using its platform also operate globally, so you’re really at the mercy of these companies as to whether they inform you of the risks. The data collected using Typeform’s platform could be for any number of reasons, depending entirely on what the company is researching, but the personal information affected might include email addresses, Twitter handles, Linkedin profile addresses, postal addresses and postcodes, salary bands and ages. All of this information could be considered personally identifiable information (PII) and hence subject to privacy laws in many locations if it is mishandled and the breach isn’t properly reported.
Supply Chain Attacks – Where the risks lie
The majority of risks are to consumers, where the information garnered from the breach can be used to construct convincing phishing attacks against individuals. Anyone who gets a notification from a company who used Typeform should ask as many questions as possible as to the nature of the dataset. Some surveys may have collected non-identifiable information, which means there is less risk, but some companies offer prizes that require personal contact details, so this information is all included in the stolen data set.
Dealing with Third-Party Breaches
From an enterprise perspective, this supply chain attack reminds us that in the modern world of online service consumption, when the service provider gets breached, it affects hundreds or even thousands of customers. Imagine if one of the big cloud providers was breached, such as Salesforce, Amazon or Microsoft? That would affect hundreds of thousands of businesses, in turn affecting millions of customers. Unlike the big single-company breaches, it’s the business that provides the consumer service and not the back-end service provider that has to deal with the fallout.
The Weakest Link
Even with the best security controls in your own business, your upstream service providers can be the weak link that causes your business serious harm. The so-called third-party breach (also known as a supply chain attack) is fast becoming one of the hardest and most critical risks to mitigate. In essence, this happens when an attacker gets access to your systems (or your data) by attacking the outside partner or service provider. The Pomemon Institute recently published a survey showing that 56 percent of organisations had a breach caused by someone in their supply chain, which is a 7 percent increase over the previous year.
Security Controls and Countermeasures
We know that security is only as good as the weakest link. Yet, modern businesses are reliant on third-party services where they have little to no control over the security of their systems. Oftentimes it comes down to what the service contract says and then making sure your cyber insurance covers any gap. There is no doubt that cyber insurance can help recover costs associated with notifying end-users and cleaning up the incident, but it doesn’t protect your reputation or share price if that takes a tumble. If your customers decide to leave and move their business to the competition, it can be an existential for some. Some of the bigger service provider platforms offer logging services, where businesses can ingest logs from the service into a Security Information and Event Management (SIEM) system, but this is only useful if the logs represent the entire service infrastructure. If you only have limited visibility of the platform, then only a small number of threats can be detected and stopped.
Minimise the Attack Surface to reduce exposure
The best way, by far, to mitigate these risks is to seek ways to minimise the attack surface. If you use a service such as Typeform’s make sure you can cleanse the data from their systems, with some kind of assurance that it’s been done. Download the data set and keep it offline, this reduces the risk of future exposure on the platform. Monitor the news and threat feeds and if you hear of a breach to one of your service providers, contact them and demand to know the extent of the damage. Work with them to understand what was leaked and what they are doing to recover the data or reduce the harm. You can also demand architectural security controls are used by your providers, such as encryption technology where you maintain the keys, so that data is unusable if it’s stolen.
Finally, before you go to contract with a service provider, see if they will undertake testing and provide you visibility of the reports. Penetration testing can show any weaknesses in their systems and should give you an indication of how keen they are to invest in security. Any company not willing to open themselves up to testing should be avoided since they are either hiding something or don’t have a security-focused model.
Alignment reduces Supply Chain Attacks
At the end of the day, security is everyone’s responsibility, but to protect yourself and your business you need to develop a trust-based ecosystem where everyone involved in delivering your product or service sings off the same hymn sheet.