CEA's Response to the Typeform data breach

Posted 5 July, 2018 (updated 14 January, 2021)
On Monday we learnt that Typeform, a popular service we’ve used to create some of our online forms, has suffered a significant data security breach.
Many users of the Centre For Effective Altruism’s online services (or projects of CEA, such as Effective Altruism Global) submitted personal data, which was among the information that was stolen from Typeform.

What personal information is affected?

We have analysed a copy of the data that was stolen. We believe that a maximum of 1497 individuals were affected by the breach. A summary of the personal data affected is below:
Type of dataMaximum Individuals Affected
Name1484
Email1497
Phone number89
Skype Handle66
Physical/Postal Address10
General geographical information (City/University/Local group)542
Job title/details of employment1216
Career plans/biography/other long-form personal answer445
The stolen data did not include: financial data (e.g. credit card information); any file attachments you may have uploaded (e.g. curriculum vitae / résumé); or any form responses submitted after May 3rd 2018.
Also, please note that in many cases the information affected is from 2015 and 2016 and thus may no longer be up to date.

This happened because attackers found a weakness in Typeform’s security

Attackers managed to gain access to data backups for a subset of Typeform submissions that were collected before May 3rd 2018. Those backups contained the information that people submitted via these forms, including the data we mentioned above.

The Typeform data breach affects many organisations

Typeform is a widely used service, and it seems like this data breach affects thousands of organisations and millions of individuals. So you may see similar notices from other organisations in the coming days.

CEA’s response

We take protecting personal data extremely seriously, and we are very sorry that you have been affected by this incident.
When we discovered this incident, we immediately began a thorough investigation. Since then we have notified relevant authorities including the UK Information Commissioner’s Office, which is now investigating the breach. Today (July 5th 2018), we notified everyone who was affected by email.
Typeform have assured us that they have now secured their systems and taken steps to avoid similar incidents in the future. Nonetheless, we are now reviewing whether to continue using Typeform into the future.
If you have any questions about this incident, please send an email to privacy@centreforeffectivealtruism.org.