The Tasmania Electoral Commission (TEC) has revealed that the personal information of around 4,000 voters has been compromised, as part of an attack on Spanish online form building service Typeform.

In a statement released on Saturday, Tasmanian Electoral Commissioner Andrew Hawkey confirmed that TEC had been implicated in the recent Typeform breach.

“Earlier today, the Tasmanian Electoral Commission was informed by the Barcelona-based company Typeform, that an unknown third party had gained access to one of their servers and downloaded certain information,” he said.

“Typeform online forms have been used on the TEC website since 2015 for some of its election services.

“The Electoral Commission apologies for the breach and will re-evaluate its collection procedures and internal security elements around its storage of electoral information for future events.”

The breach in question involved an unknown attacker downloading a back-up file that held information such as the name, address, email and date of birth of voters who had applied for an express vote at the previous state elections, Hawkey said.

While details on the scale of the breach remain unclear, Hawkey said the number of Tasmanians implicated is “probably in the vicinity of 4,000.”

TEC said it would be contacting victims of the breach in the coming days.

It also stressed that the compromised data was only related to voters who had recently applied for express votes and “has no connection to the national or state electoral roll.”

The Typeform attack

TEC is just one organisation involved in the seemingly widespread Typeform breach.

Barcelona-based Typeform, which has been used by Apple, Airbnb, Uber and Nike in the past, said that the backup file gathered by the attacker did not contain payment or password information.

“We have immediately initiated a comprehensive review of our system security and have identified the source of the breach and have addressed that security vulnerability,” it said in a statement.

Soon after Typeform made the breach public, UK-based digital bank Monzo announced that the personal data of 20,000 of its users had been leaked in the breach.

The data shared of Monzo users included twitter usernames, universities, age and salary brackets, employers and old banks.

GDPR in action

The hack marks one of the first major global breaches since the EU’s GDPR reforms were introduced in late May.

In its statement, Typeform claims that the breach occurred at 14:00 Central European Time on 27 June.

By 29 June the company had notified affected users of the breach and announced it publicly.

This was within the 72 hours that companies now have under GDPR to notify relevant authorities and users of a data breach.

“We launched this communication as soon as possible after feeling comfortable that our platform is now secure,” Typeform’s statement said.