This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Cairns Regional Council

Summary

Cairns Regional Council in Far North Queensland disclosed in July 2018 that personal information from two council surveys may have been compromised through the Typeform data breach. The council had used Typeform to collect community feedback through online surveys, and when Typeform's systems were hacked, data from these surveys was potentially accessed. The council apologised to affected residents and reviewed its use of third-party platforms.

What Happened

In late June 2018, attackers breached Typeform's systems, gaining access to data from forms and surveys created by Typeform's customers. Cairns Regional Council had used Typeform to conduct two online surveys for community consultation purposes. The breach potentially exposed information that residents had submitted when participating in these surveys.

The compromised data included contact details and responses that survey participants had provided, such as names, email addresses, phone numbers, and addresses. The incident occurred in Typeform's infrastructure, not the council's own systems.

Typeform notified Cairns Regional Council of the security breach in early July 2018. The council immediately assessed which surveys were affected, confirmed that two online surveys had been impacted, and notified potentially affected residents. The council issued a public apology for the breach.

Impact on Individuals

Cairns residents who had completed the affected council surveys faced minimal risks:

  • Limited data exposure: Contact information and survey responses
  • Community feedback context: Information voluntarily provided for public consultation
  • No financial or identity data: No payment details or government identity documents
  • Small scale: Only two specific surveys were affected

Potential impacts included:

  • Spam or marketing communications to exposed contact details
  • Minor privacy concern from disclosure of opinions in council surveys
  • Potential for targeted phishing using knowledge of council engagement
  • Disclosure of residents' views on council matters

Organisational Response

Cairns Regional Council demonstrated accountability and transparency:

  • Promptly notified affected residents after being informed by Typeform
  • Issued public apology for the breach
  • Published information about the incident on the council website
  • Confirmed which specific surveys were affected
  • Explained that the breach occurred in a third-party platform
  • Advised residents to be cautious of suspicious communications
  • Reviewed procedures for using external platforms for community engagement

The council's apology, while addressing a third-party breach, showed recognition of responsibility for protecting resident data regardless of where it was stored.

Local Government Community Consultation

The incident highlighted challenges facing councils conducting digital public consultation:

  • Engagement tools: Councils use online platforms to make participation accessible
  • Budget constraints: Third-party platforms offer cost-effective solutions for councils
  • Digital divide: Online surveys complement traditional consultation methods
  • Data protection obligations: Councils must protect resident information even when using vendors
  • Community trust: Breaches affecting government services can undermine public confidence

Cairns Regional Council, serving a diverse region including urban and remote communities, relied on digital tools to enable broad community participation in council decision-making.

Typeform Cascade Effect

Cairns Regional Council was one of several organisations affected by the July 2018 Typeform breach, including:

  • Tasmanian Electoral Commission (voter applications)
  • Townsville City Council (art competition, surveys)
  • Bakers Delight (promotions)
  • Airtasker (user feedback)

The impact on two Queensland councils (Cairns and Townsville) within the same week demonstrated how common third-party platforms had become in local government operations and how vulnerable this made councils to supply chain security incidents.

Queensland Local Government Context

The breaches at both Cairns and Townsville councils raised concerns across Queensland's local government sector:

  • Shared platforms: Many councils use similar third-party tools
  • Coordinated risk: Common platforms create coordinated vulnerability
  • Resource constraints: Regional councils often have limited cybersecurity resources
  • State oversight: Queensland government providing guidance to councils on data security
  • Vendor assessment: Need for councils to evaluate third-party service providers

Survey Data Sensitivity

The breach raised questions about the sensitivity of public consultation data:

  • Opinion data: Residents' views on council matters and planning decisions
  • Participation disclosure: Knowledge of who engages with council can itself be sensitive
  • Demographic information: Surveys may collect age, location, or other personal details
  • Cumulative risk: Survey responses combined with contact details build personal profiles

While individual survey responses may seem innocuous, aggregated data about community engagement can be more sensitive than initially apparent.

Government Platform Procurement

The incident contributed to evolving local government procurement practices:

  • Security requirements: Including cybersecurity standards in vendor contracts
  • Data sovereignty: Considering Australian-hosted alternatives to international platforms
  • Shared services: Exploring regional or state government-provided consultation tools
  • Risk assessment: Evaluating whether benefits of convenient platforms justify risks
  • Vendor diligence: Enhanced assessment of third-party service providers

Public Apology Significance

Cairns Regional Council's public apology was notable:

  • Acknowledged responsibility despite third-party breach
  • Demonstrated accountability to constituents
  • Set standard for how councils should respond to vendor breaches
  • Showed that elected officials and council leadership took data protection seriously

The apology reflected understanding that residents entrusted the council with their information, regardless of technical details about where data was stored.

Long-term Impact

The Cairns Regional Council Typeform breach resulted in:

  • Enhanced vendor security assessment in local government procurement
  • Greater awareness among Queensland councils about third-party platform risks
  • Recognition that community engagement activities involve data protection obligations
  • Development of council policies on using external platforms for resident data
  • Industry discussion about balancing accessible consultation with data security

While the direct impact was minor, the incident contributed to evolving practices in local government digital services and demonstrated the importance of protecting community data even in routine consultation activities.

Verification Source: View original statement