Shane Chambers No Comments

Harvey Norman, the retail giant with 13 stores in the Republic and a further two stores in Northern Ireland, has admitted to customers that it suffered a data breach through a third-party tool used on its website. “We wish to alert you to a data breach that has occurred in the systems of a third-party website service provider, Typeform, which has resulted in the unauthorised access to some Harvey Norman data,” the company said earlier this week in a statement.

Harvey Norman was just one of the many companies affected by a breach at Typeform, a third-party website service provider

Typeform, based in Spain, is a software-as-a-service company that provides online forms and surveys for business websites, and says it has over 30,000 paying customers using its services – including Trello, Hubspot, Forbes, Apple, Facebook, Uber, AirBnB and much more.

Typeform says an attacker managed to download a backup file from its servers that compromised names, email addresses and other data that users submitted on various websites through its forms. Payment and password information are allegedly not affected.

Harvey Norman has officially apologised for the incident in their statement. “As a result of this breach some of your personal data may have been compromised,” it said. “This data includes your name, email address and your telephone number. No sensitive personal data such as payment data, bank details or passwords are involved.”

“Harvey Norman understands that the safety and protection of the personal information you provide us with is of the utmost importance. We take the protection of that information very seriously and we are very sorry to have to notify you of this situation.”

Also among the companies affected by this breach were famous London-based food store Fortnum & Mason, who said about 23,000 of its customers may be affected, and mobile banking service Monzo, who said email addresses for at least 20,000 of its customers may have been affected.

This incident is just one of many that is showing the data protection industry and the world how important it is to ensure data flow is tightly controlled, especially now that the GDPR is now enforceable for any organisation that holds or processes EU citizen data. Under this regulation, each company must know which third-party companies hold sensitive data, whether all the data held is relevant to its purpose, and whether the third-party provider has adequate technical measures in place to protect it to the high standards of the GDPR.

While passwords and payment data don’t appear to have been compromised in this case, the user data may well end up on the dark web, where it will be sold to cyber criminals who often attempt to use it for the purposes of conducting targeting phishing attacks and even identity fraud.

Harvey Norman has put out an additional warning to its users that they may be at increased risk of phishing attacks. “We recommend that you take some additional measures in the management of your emails to identify any phishing or scam emails. In particular, if you receive any email from Harvey Norman asking for payment, a credit card number or any other confidential information, do not answer and contact us immediately.”

Many people, however, won’t take the time to train themselves how to spot and correctly deal with advanced phishing emails, and this can pose a huge risk for companies. Some may provide basic guidelines to staff or at best do once-off training but then fail to keep their staff up-to-date and re-educated as threats change.

This is why, at Tech Guard, we strongly recommend that companies take matters into their own hands and not only train but phish their users on an ongoing basis. Basic cyber security awareness training and the recognition of sophisticated phishing emails are very important and increasingly seen as essential skills for any employee that handles data. Ongoing training and phishing of employees is now a necessity for companies – as it has been proven to significantly reduce risk of cyber attacks, and aids compliance with the GDPR.