Tasmanian electoral body caught up in Typeform data breach

The Tasmanian Electoral Commission says an 'unknown attacker' has downloaded a back-up file containing the personal information of electors.
Written by Chris Duckett, Contributor

The Tasmanian Electoral Commission says an "unknown attacker" has breached a server's security and downloaded a back-up file containing the names, addresses, emails, and date-of-birth information of electors.

The breach occurred through a server of the Barcelona-based company Typeform, whose online forms have been used on the TEC website since 2015 for election services, the commission said in a statement on Saturday.

Typeform said the breach was identified on June 27, with the vulnerability closed down within half an hour of detection.

The commission said it's believed the stolen elector data on the online forms included names, addresses, emails, and date-of-birth information provided by electors when applying for an express vote at the recent state and Legislative Council elections.

The commission said it would be contacting electors who used the services in coming days to inform them of the breach.

"The Electoral Commission apologises for the breach, and will re-evaluate its collection procedures and internal security elements around its storage of electoral information for future events," its statement said.

It said the breach had no connection to the national or state electoral roll.

In its statement on the breach, Typeform said the data exfiltrated was from "a partial backup dated May 3rd 2018", and the "risk of reoccurrence is now deemed low enough to send out this communication".

The company said results collected since May 3 are not affected, nor were subscription payment information and Typeform login details.

"We have immediately initiated a comprehensive review of our system security and have identified the source of the breach and have addressed that security vulnerability," Typeform said.

"In the short term, we brought in forensic security experts who have helped us review the breach, and are helping us look into all other aspects where we can improve the security of our platform."

Last week, Ticketmaster suffered a breach thanks to a flaw in one of the JavaScript libraries, build by Inbenta, that was paying sending payment data to an unknown third party.

"It has been confirmed that the source of the data breach was a single piece of JavaScript code that was customised by Inbenta to meet Ticketmaster's particular requirements," said Inbenta chief executive Jordi Torras.

"The JavaScript we created specifically for Ticketmaster was used on a payments page, which is not what we built it for. Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat."

Related Coverage

Homeland Security subpoenas Twitter for data breach finder's account

The subpoena demanded Twitter turn over information that would identify the data breach finder.

One in four APAC firms not sure if they suffered security breach

A quarter of Asia-Pacific companies have experienced a security incident, while 27 percent aren't even sure because they haven't conducted any data breach assessment--even as the region is estimated to have lost US$1.75 trillion last year due to cyberattacks.

Inbenta hack responsible for Ticketmaster breach

A support chat tool, used to help dozens of major websites interact with customers, has been blamed for a security breach at Ticketmaster.

Reported breaches not painting complete picture of Australian security landscape

Although 63 data breaches were reported to the Office of the Australian Information Commissioner in less than six weeks, FireEye's Mandiant has warned the figure is higher, but organisations are unsure if their breach fits the brief.

3 tips to make implementing edge security easier (TechRepublic)

In many businesses, there's a need for understandable security technology that is easy to install, operate and administer at the edge of the enterprise by business users and IT.

Editorial standards