Cyber Incident Victim: Fortnum & Mason

On June 29, 2018, at 17:26, luxury retailer Fortnum & Mason received notification from Typeform, a third-party service provider, regarding a data breach affecting approximately 23,000 individuals who had participated in the retailer's surveys and competitions. Typeform disclosed that unauthorized access to its systems had compromised customer data submitted through its forms. Fortnum & Mason confirmed the breach did not originate from its own infrastructure, emphasizing that its website and internal data repositories remained secure. The compromised information primarily consisted of email addresses for the majority of affected participants. A smaller subset of individuals had additional personal details exposed, including physical addresses, contact phone numbers, and social media handles. No financial data, payment details, or account passwords were compromised in the incident, as Typeform's forms for Fortnum & Mason had not collected such sensitive information.

Fortnum & Mason immediately disabled all active Typeform integrations on its website following the notification and suspended all future collaboration with the provider pending security improvements. The retailer demanded assurances regarding the elimination of risks, complete removal of its data from Typeform's servers, and implementation of enhanced security measures before considering reinstatement. All affected customers received direct notification from Fortnum & Mason detailing the scope of exposed information specific to their records. Typeform concurrently addressed the technical vulnerability responsible for the breach and initiated forensic investigations to determine the full extent of the incident. The retailer maintained public transparency about the third-party nature of the breach while reiterating the integrity of its own systems and the absence of financial risks to customers.