UPDATE June 2021 data breach: open letter from our Co-CEOs
On June 9th, 2021 we detected a data breach in our system. An unstructured database containing technical logs was exposed and accessed, with so far no evidence that the data was exploited.
For the sake of transparency, we would like to clarify what happened. As part of a technical system upgrade that was carried out recently, despite the security protocols in place, a database containing technical logs and information about the data that is pushed to external systems, was exposed and accessed. The PII (Personally Identifiable Information) of participants to a small number of our customers’ Qualifio campaigns was leaked.
Customers who don’t have integrations with Qualifio within their account were not affected, and not all customers who were impacted were affected in the same way, with different categories of data being leaked.
Our technical and business teams have been in continuous and close contact with the impacted customers since the incident, helping them to take any necessary and additional measures on their side. There has been no impact on the service provided by Qualifio, with no downtime on the platform.
Once we were notified of the breach, we immediately activated our data breach procedure and fixed the issue, we then communicated with all our customers, providing additional details to those who were impacted. All necessary measures were taken on our side to secure the affected database, and to make sure that none of our other databases are affected by the same issue. Several other critical actions were taken subsequently:
- An email explaining the situation was sent to all our customers, asking them to take the necessary measures on their side, such as changing the configuration of the integrations on their Qualifio account.
- In the interests of transparency, we informed the Data Protection Authority in Belgium, and filed a complaint with the police and the Belgian CERT.
- We mobilised all of our technical resources to solve the issue, to analyse the impact of the breach and to determine the extent of the exposure.
- We set up a dedicated support task force, handled directly by the leaders of our company, who were in direct communication with our impacted customers.
We sent an official DPO report to the customers who were impacted just over 24 hours after the incident, so that the relevant local authorities and our customers’ DPO could proceed accordingly.
An updated technical report and 3-month action plan was shared with the impacted DPOs on July 1st. This plan foresees an external audit of all of the changes and improvements that we are making. It is important to note that, based on the various analyses conducted both internally and externally, we have found no evidence that our system was compromised in any way beyond the direct access to the exposed database. Your data collection process is safe with Qualifio.
We are deeply sorry about what has happened and the impact that the breach has had on some of our customers. As a data processor, we are subject to strict confidentiality clauses with our customers and cannot provide any additional details about who was impacted and to what extent.
But we can say that the violation affected the core of our business: YOU, our customers and of course the individuals whose personal data was affected. Securing your data is at the heart of everything we do and is a key concern for us. Unfortunately on this occasion we missed the mark, and we are already putting measures in place to further secure our infrastructure and we won’t stop there.
The security and architecture of our system is our main priority, that we take very seriously. Our technical infrastructure is tested regularly, with penetration tests carried out regularly by both our customers and certified external auditors.
We have learned a lot and grown from this incident, and we will make sure that the lessons learned will help us to avoid the occurrence of any such incident in the future.
We would like to express Qualifio’s full and ongoing commitment to the security of your data, and our promise to be fully transparent in our communication with you. We will strive to work even harder to deserve the trust you put in us.
We would also like to thank you for the support and kind words we have received from many of you.
On behalf of the Qualifio team,