Fortnum & Mason and Monzo hit by data breach

Heritage British retailer Fortnum & Mason and digital challenger bank Monzo have both been impacted by a significant data breach as hackers identified a security weakness within a third-party company the two brands have worked with in the past.

The attack hit clients of Typeform, a survey company based in Barcelona.

Fortnum & Mason released a statement saying around 23,000 customers who had entered a competition organised by Typeform had their email addresses exposed to the hackers. The retailer said the hacker also managed to gain data including address, contact number and social media handles from a “smaller proportion” of customers. No bank, payment or passwords have been exposed and all customers have been notified, said Fortnum & Mason.

A F&M spokesperson said: “There has been no breach of Fortnum & Mason’s website or database, and all data which we hold is unaffected by this breach. We have disabled any and all Typeform forms existing on our website and will not work with Typeform until we are assured that; there is no further risk, that all our data has been removed from their servers and that their security measures have been improved. We have been informed that Typeform have fixed the root cause and are undertaking forensic investigations.”

Meanwhile, around 20,000 Monzo customers had been affected by the same cyberattack, which resulted in no loss of bank details.

The digital bank broke out the data breach figures, reporting that 19,213 email addresses had been exposed, while the theft of other data has left customers vulnerable:

Breakdown of Monzo data breach:

19,213 - email address

1,600 - postcode and name of old bank

1,434 - Twitter username and email address

908 - email address and university

191 - name, email address, city, age band, salary band

53 - name, email address and employer

7 - name and email address

The bank said all customers had been informed and it has terminated its work with Typeform. It also said it would remove all survey data from any third-party provider within two months of a survey in the future. 

Monzo CEO, Tom Blomfield said: “To everyone affected, I’m very sorry. Unfortunately, we can’t ever guarantee that something like this won’t happen, but we’re doing everything we can to protect your data and we’ll learn from this incident.”

He added: “If we get more information on the breach, we’ll give a more thorough update in the near future. Until then, we’ll be working hard to minimise the impact on the people involved and we will ensure that no customer is left out-of-pocket as a result of this breach.”