This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Bakers Delight

Summary

Bakers Delight, a popular Australian bakery franchise, notified customers in July 2018 of potential data exposure through a third-party platform breach. The incident occurred when Typeform, an online form service used by Bakers Delight for competition entries, was hacked. The breach was part of a widespread Typeform incident that affected multiple Australian organisations simultaneously, exposing information of people who had entered Bakers Delight competitions or promotions.

What Happened

Attackers breached Typeform's systems in late June 2018, gaining access to data collected through forms created by Typeform's customers. Bakers Delight had used Typeform to run online competitions and collect customer information for promotional activities. When Typeform was compromised, data from these competition entry forms was potentially accessed by the attackers.

The compromised information included contact details that entrants had submitted when entering Bakers Delight competitions, such as names, email addresses, phone numbers, and addresses. The breach did not involve Bakers Delight's own systems but rather the third-party platform the company used to manage customer interactions.

Typeform notified Bakers Delight of the breach in early July, and Bakers Delight promptly notified potentially affected customers. The incident was part of a broader Typeform breach that affected numerous Australian organisations at the same time.

Impact on Individuals

The impact on affected individuals was relatively minor:

  • Contact information exposed: Names, email addresses, phone numbers, and addresses
  • Limited sensitivity: Basic contact details with limited fraud potential
  • Competition context: Information was voluntarily provided for promotional purposes
  • No financial data: No payment information or identity documents compromised

Potential risks included:

  • Spam or marketing messages to exposed email addresses and phone numbers
  • Potential for targeted phishing using knowledge that individuals entered Bakers Delight competitions
  • Minor privacy concern from disclosure of contact information

Organisational Response

Bakers Delight responded appropriately to the third-party breach:

  • Notified potentially affected customers promptly after being informed by Typeform
  • Explained that the breach occurred in Typeform's systems, not Bakers Delight's
  • Advised customers to be cautious of suspicious communications
  • Reviewed use of third-party platforms for customer data collection
  • Demonstrated transparency despite the breach being outside their direct control

The company's response showed responsible handling of a supply chain security incident, taking ownership of customer notification even though the breach occurred at a vendor.

Typeform Breach Context

The Typeform breach in July 2018 affected multiple Australian organisations:

  • Bakers Delight (competition entries)
  • Airtasker (user surveys)
  • Tasmanian Electoral Commission (voter applications)
  • Townsville City Council (competition entries)
  • Cairns Regional Council (public surveys)

The widespread impact demonstrated how a single third-party platform breach could cascade across many organisations and sectors simultaneously.

Third-Party Platform Risks

The incident highlighted risks of using cloud form platforms:

  • Data aggregation: Platforms holding data from many organisations become high-value targets
  • Cascading impact: Single breach affects multiple organisations simultaneously
  • Limited control: Organisations depend on vendor security practices
  • Notification dependencies: Organisations rely on platforms to inform them of breaches
  • Customer perception: Customers may not distinguish between vendor and organisation breaches

Supply Chain Security Lessons

The Bakers Delight/Typeform incident contributed to understanding of supply chain risks:

  • Vendor assessment: Importance of evaluating third-party security before using platforms
  • Data minimisation: Collecting only necessary information reduces exposure
  • Alternative approaches: Considering whether cloud platforms are necessary for all data collection
  • Contractual protections: Need for agreements addressing vendor breach notification and response
  • Shared responsibility: Organisations remain responsible for customer data even when held by vendors

Retail Sector Implications

For retail organisations running competitions and promotions:

  • Recognition that customer engagement activities involve data security considerations
  • Need to assess platforms used for marketing and promotions
  • Understanding that even simple competition entries can be affected by breaches
  • Importance of having processes to respond to third-party breaches

Consumer Trust

While the breach impact was minor, it affected consumer perceptions:

  • Customers entering competitions may not expect their data to be compromised
  • Trust in promotional activities and data handling
  • Awareness that providing information for competitions carries some risk
  • Recognition that breaches can occur through third parties

Long-term Impact

The Bakers Delight Typeform breach contributed to:

  • Greater scrutiny of third-party platforms used for customer data collection
  • Industry recognition of supply chain cybersecurity risks
  • Enhanced vendor assessment practices in retail sector
  • Awareness that even marketing activities involve data protection obligations

The incident, while minor in direct impact, was significant as one of several 2018 breaches demonstrating the risks of third-party platforms and the cascading effects when widely-used services are compromised.

Verification Source: View original statement