QuestionPro prioritizes your personal information’s privacy and security. As one of the leading platforms in the industry, we aim to maintain high standards regarding the care of data and transparency with our clients and users.
In this article, we will address a recent incident that may have put some of the personal data of one of our users at risk and share all the information about it with complete transparency.
What Happened?
In late May, malicious hackers compromised QuestionPro’s security by illegally accessing a “proof of concept” data science server populated by backup data. They then intended to extort QuestionPro for financial purposes.
We performed a forensic review to determine whether the claim of customer record access was legitimate. Upon completing the evaluation, we determined the offenders’ affirmations could be an actual threat.
Subsequently, we reported the incident to the Federal Bureau of Investigations. They are currently handling the case as a criminal matter.
Who Was Impacted & How
Based on our analysis, the platform limited access to personally identifiable information (PII) both in scope and in the information obtained.
First, -as a backup/test server-, we were not linking to the complete QuestionPro data set.
Secondly, because of our data protection policy (and commercial best practices), we do not store complete customer records in any single data set on any single server. Here’s what we believe could have been accessed:
For Select Communities users:
- Email address
For Select Survey Respondents
- IP Address, Browser Type & User Agent, and Email Address (if the respondent provided this)
What Steps We’ve Taken
QuestionPro has engaged a 3rd party security review process to monitor and maintain our systems and provide guidance on further improved procedures for experimental systems. We are also in the process of validating and notifying all customers who could potentially be affected by this incident. In response, we are working on the following changes:
- Advanced Data Security & Handling for all QuestionPro Employees.
- Experimental Systems will go through our standard Info/Sec Process.
- Enhanced Data Security / Handling for engineering teams that handle customer data.
- Encryption at rest for ALL PII Related Data – not just sensitive PII Data, including experimental and reporting systems.
Our Commitment to You
We place the highest priority on you as a valuable customer and survey participant. Therefore, we understand and validate the concerns that might have arisen from this incident. We are aware we must earn, or re-earn, your trust. And we will, with actions. We want to ensure we take this matter seriously as we continue to monitor and improve all aspects of protecting your data.
Contact Us
If you have questions or want to speak to a QuestionPro representative, please email us at: [email protected] or contact us. We are willing to answer any questions or comments you may have.
