Party statement on data breach

Yesterday, some party members received an email from the Party’s Chief Executive, Nick Harvey, which told them that there had been a data breach at a company used by the party in connection with a recent members’ survey.

Here’s Nick’s statement on the issue:

One of our suppliers, Typeform, informed us that on 3rd May 2018 they suffered a data breach, which they subsequently discovered on 27th June and notified us shortly afterwards.

Data from Liberal Democrat members was among the data affected. You will have received an email if your data was affected.

Typeform have informed us that an external hacker managed to get unauthorised access to the results of our recent Member Experience Survey and downloaded them.

This survey contained names and email address, so we are asking affected members to watch out for potential phishing scams or spam emails.

This survey also contained information about political opinions, such as the campaigns and policy areas that are most important to you.

The survey did not contain any financial details and no other data held on any other systems has been compromised in this breach.

We are in communication with Typeform and will be re-evaluating our relationship with them in light of this incident.

We take the security of your data seriously and if we are not satisfied that sufficient steps have been taken to secure your data, we will terminate our relationship with Typeform.

We have also reported this incident to the Information Commissioner’s Office.

We’re incredibly sorry that this happened and if you have any other questions about the data breach, please feel free to contact us by emailing[email protected] – we’ll do our best to answer any queries you may have.

Read more by or more about or .
This entry was posted in News.


  • Nonconformistradical 3rd Jul '18 - 9:45pm

    Typeform is a Spanish company – from their terms of use:-
    “Who are you?

    We’re Typeform. Or Typeform S.L., for legal purposes. We’re a Spanish company, and our address is Carrer Bac de Roda, 163, 08018 Barcelona. Our C.I.F. (tax identification code) is B65831836, and we’re registered with the Trade Register of Barcelona. ”

    So who fines them?

  • David Becket 3rd Jul '18 - 10:38pm

    Why are we not using a UK company? At least they are in the EU, but for this sort of exercise UP would be preferable/.

  • Good night for bad news.

  • Cllr Fran Oborski MB 4th Jul '18 - 8:25am

    Great. Thanks to this my e mails got hacked yesterday and over 100 of my contacts got an email with attachments claiming I was going to make payments!
    I’ve had to change passwords and spend an evening sending apologetic e mails.
    Ian unlikely to respond to any e mail surveys from HQ in future!

  • @Cllr Fran Oborski MB – I don’t see the two events as being directly related.
    Data breaches from third-parties, such as has happened here, seem to be quite common – the reporting of which being aided by (EU?) data protection laws requiring companies to report data breeches.

    I hope with respect to your email service, you have firstly, taken advantage of their additional security features that both make it easier for you to recover your email account and harder to access from new computers (ie. computers you don’t normally use). Secondly, you have chosen a password that isn’t ‘lazy’ – by ‘lazy’ I mean one that either uses readily available information about you, such as your name and postcode, or one of the more common passwords: password, password1, qwerty, 12345, etc. but at the same time don’t be fooled into thinking that a short password which is hard to remember is more secure than a long password that is easy to remember. Finally, because (normal) people don’t tend to change their email password very frequently (Aside: there is a debate over the security benefits of frequent password change) do make sure that it is unique – ie. you don’t also use the same password on any other account – personal or business.

  • Nonconformistradical 4th Jul '18 - 11:56am

    I agree with Roland – the HQ statement refers to names and email addresses. This could have led to SPAM purporting to come but not really coming from victims of the Typeform hack.

    So Fran – I cannot see how this would have resulted in your email being hacked – unless you had a very hackable password maybe.

  • Laurence Cox 4th Jul '18 - 1:44pm

    I too received the email from Nick Harvey, but haven’t had any phishing emails (so far). What concerns me is that the Party is using external suppliers for this survey. Why isn’t it all done in-house; there must be plenty of Lib Dems with the right experience to do the analysis and if they come into Party HQ then the data is as secure as we can make it.

  • >Why are we not using a UK company?

    It would be interesting to know why Typeform was chosen over SmartSurvey, particularly as Mark Pack uses SmartSurvey.

    >Why isn’t it all done in-house
    Probably down to time and money, where money is from membership fees and donations. The cost and time savings achievable from using an online survey service shouldn’t be dismissed out of hand, once you factor in the speed with which you can get a survey out and the results back, the use of such services becomes practically a no brainer.

    The issues, and we have seen this across many recent (pre-GDPR) breaches are, firstly companies haven’t been giving enough attention to the security of personal data on their systems and secondly with a massive focus on security in recent years, in part because of the release of toolkits of exploits used by various agencies, IT professionals are finding holes in many systems thought to be secure. It is this focus that has done much to increase the security gap between older unsupported versions of software and current versions that receive security patches. Whilst as end users we may see this as a push to say use Windows 10 rather than XP, and the constant updates of our web browsers, for businesses things are more difficult as whilst they may be using currently supported software, getting the patches on to their production systems in a timely manner without causing a significant service outage can be problematic.

  • “Typeform have informed us that an external hacker managed to get unauthorised access to the results of our recent Member Experience Survey and downloaded them.”

    Typeform had a backup that was both accessible online, and not encrypted, which is just plain careless. They deserve the large fine that should be coming thier way.

    Of course, the Lib Dem party and local branches would never be that stupid, would we? You have all deleted those shared Dropbox folders, right?

  • Philip Knowles 6th Jul '18 - 9:12am

    The thing that worried me most is that it took TypeForm almost TWO MONTHS to notice. Sir Nick’s email came very quickly after that but it’s too late to bolt the stable door when the horse left two months ago. In between the breach and notification came GDPR. So much for that.
    As for Fran, with a name and email address I could quickly pretend to be anyone – that’s spoofing. The contacts will almost certainly have come from somebody sending an email cc’d to loads of people. We have to stop doing that. Use bcc to send to contacts and put yourself in the To box

  • Buried in the ICO announcement about Facebook today was this:
    “And it said it had also written to the UK’s 11 main political parties compelling them to have their data protection practices audited.
    This, the Information Commissioner’s Office explained, was in part because it was concerned they could have bought lifestyle information about members of the public from data brokers, who might have not have obtained the necessary consent.”

    It’s something not overdue. All parties have played fast and loose with data protection – At least one set of illegally published data (BNP membership list) was added to party databases.

    @PhillipKnowles – GDPR requires much more rapid notification of data breaches than previously. Though very little will help people who don’t distinguish between cc and bcc

  • Nonconformistradical 11th Jul '18 - 7:22am

    >Why isn’t it all done in-house

    Perhaps because the responsibility lies with the provider of the service? Otherwise it would be the party being fined rather than Typeform.

Post a Comment

Lib Dem Voice welcomes comments from everyone but we ask you to be polite, to be on topic and to be who you say you are. You can read our comments policy in full here. Please respect it and all readers of the site.

To have your photo next to your comment please signup your email address with Gravatar.

Your email is never published. Required fields are marked *

Please complete the name of this site, Liberal Democrat ...?


Recent Comments

  • nigel hunter
    Ecotricity CEO on Channel 4 news tonight pointed out that we have the HIGHEST cost and France, for example the smallest.It was also mentioned that the gas WE t...
  • James Fowler
    I don't think the we should ridicule the myth, partly because that defence plays precisely into the narrative populists want and partly because there is a certa...
  • Roland
    @Joe - Thanks for the detailed response. To me automatic PAYE reporting is equivalent to the submission of a tax return for basic rate taxpayers. I used the t...
  • Andy Boddington
    That was eight years ago. You can't expect any politician to stand by statements nearly a decade ago when the political, social and financial world was totally ...
  • Joe Bourke
    Roland, Integration of the tax and benefit system has so far proved beyond the reach of any government, including Labour when Gordon Brown was Chancellor. ...