Fortnum & Mason customers’ personal data exposed in breach

As the saying goes, you’re only as strong as your weakest link, which is as true for data security as any other situation. Unfortunately, world-famous retailer Fortnum & Mason was recently let down by a weak link – survey company Typeform – that exposed the personal data of 23,000 of its customers.

Fortnum & Mason partnered with Typeform for its food and drink awards. A breach of Typeform affected Fortnum & Mason customers who voted using the Typeform form in the “TV Personality of the Year” category.

For the majority of people affected, only an email address was accessed. However, the names, home addresses and social media handles of a smaller proportion of customers were accessed. Fortnum & Mason confirmed that no bank details or passwords were involved, and that money and accounts are safe.

A statement from Fortnum & Mason said:

“At 17.26pm on Friday 29 June, Typeform, a company that provides services that we have used in the past to collect survey responses and voting preferences, notified us that they had suffered a data breach and unfortunately some of our data had been compromised.

“The data of approximately 23,000 competition and survey participants who inputted into a Typeform form has been involved in this breach. For the majority of people, only the email address has been exposed. For a smaller proportion of customers, other data such as address, contact number and social handle has been included. These forms did not request bank or payment details, or require passwords.”

Fortnum & Mason has taken down all forms powered by Typeform until its security measures have been improved. Typeform swiftly identified and fixed the root cause and is now undertaking a forensic investigation.

The importance of supply-chain security

The incident, hitting such a giant of a retailer with its pedigree stretching back more than 300-years, highlights the importance of supply-chain security.

Under the EU GDPR (General Data Protection Regulation), in this instance Fortnum & Mason is the data controller, and is therefore responsible for the security of personal data processed on its behalf by data processors (Typeform). The retailer could therefore find itself liable for administrative fines as well as legal action from the data subjects (the customers affected).

The news of this breach comes just days after Ticketmaster suffered a data breach involving a third-party support product.

For more information about how to protect against a data breach, or the steps to take if a breach occurs, take a look at our GDPR compliance checklist.

Breach Ready