Data breaches are a serious threat to the market research industry. In this post we’ll go through the biggest risk factors for you as a survey taker, and what you can do to stay safe when taking online surveys.
The risk of data breaches explained
Market research companies collect an extensive amount of data from respondents who share their opinions, preferences, behaviours and personal details when filling in online surveys.
- Survey takers often sign up for multiple survey sites
- They provide extensive amounts of personal profiling information
- They provide combinations of passive data and survey data
- The survey process involves many 3rd parties
Information provided by respondents usually includes personally identifiable information (PII) such as their address and telephone number combined with extensive profiling of sensitive topics such as health conditions, employment data and personal financial information. If this data falls into the wrong hands, the hackers can get a very detailed picture of someone’s life.
A complex digital supply chain
Survey takers may encounter privacy concerns due to the extensive sharing of their personal information between different entities. Each party involved may have its own privacy policies and data handling practices, increasing the risk of data breaches and misuse.
Moreover, respondents might not always be aware of which specific organizations are accessing their data, as these partnerships and collaborations may not always be transparent. The survey process usually includes many different steps, including a wide range of platforms. Here is an example:
- The respondent signs up on a survey site
- Forwarded to a marketplace to be matched with a survey
- Redirected to a 3rd party market research provider
- Fills in the questionnaire using 3rd party survey software
- Survey results shared with the market research agency
- 3rd party software used to analyse the data
- Final results and analysis of the survey shared with the end-client
The intricacy begins with the survey platform that hosts the survey and collects the respondent’s data. This platform may collaborate with several market research companies to distribute surveys to their audiences. Moreover, the survey data often go through multiple hands during data processing, including data cleaning, analysis, and reporting.
Passively collected metadata can be sold to anyone
In addition to this, passive data tracked through data collection apps can be shared and sold to 3rd party companies. Here is an example of an investigation we did to map what data is tracked by popular survey and data collection apps on the Play Store:
Keep in mind that your passively tracked data can be shared by any type of app, not just market research apps. Weather apps, mobile gaming apps, and e-commerce apps will often ask to track your location for you to take advantage of “all functionalities”. An innocent approval to share your location with a weather app could mean that your location history could be sold to many different types of organisations.
What is the market research industry doing to prevent data breaches?
The market research industry has a responsibility to protect the data of its respondents and follow industry guidelines, such as the ESOMAR data protection guidelines. These guidelines provide standards and best practices for collecting, storing, processing and transferring personal data in a secure and ethical way.
ESOMAR also require market research companies to inform respondents about how their data will be used, who will have access to it and what rights they have over it.
However, following these guidelines is not enough to prevent data breaches. Hackers are constantly evolving and finding new ways to infiltrate market research systems and databases. In recent years, there have been several incidents involving data breaches of market research companies, which we will go through below.
List of data breaches involving market research companies
Here are a few examples of major data breaches involving the market research industry either directly or indirectly:
Elasticsearch Server Leak (2019)
Vinny Troia, the founder of Data Viper and Bob Diachenko, an independent cybersecurity consultant discovered a “wide-open” Elasticsearch server. The server exposed the personal information of about 1.2 billion unique users including their names, email addresses, and phone numbers in combination with metadata enriched from many other sources. The leak caused several companies to issue security notices, including Dynata.
Nielsen ransomware attack (2020)
In 2020 Nielsen experienced a disruption relating to the Australian TV Audience Measurement (TAM) data centre environment. This disruption derived from a ransomware attack in which Nielsen was the victim. Attackers hacked into the network and extracted private and sensitive information, and then demand money from Nielsen in return for releasing the stolen data.
ClearVoice data breach (2021)
In 2021, ClearVoice, an online survey platform, suffered a data breach that exposed the personal information of more than 15 million respondents and clients. The data included names, email addresses, phone numbers, passwords, payment details and writing samples. The breach was caused by a misconfigured Amazon Web Services (AWS) bucket that was left publicly accessible.
QuestionPro ransomware attack (2022)
In 2022, QuestionPro, an online survey software company, experienced a data breach that compromised the personal information of more than 100 million respondents and clients. The data included names, email addresses, IP addresses, survey responses and other metadata. The breach was caused by a ransomware attack that encrypted the company’s servers and demanded payment for the decryption key.
Nebu data breach and phishing attack (2023)
In 2023, Nebu, a market research software provider, disclosed a data breach that affected the personal information of more than 50 million respondents and clients. The data included names, email addresses, phone numbers, survey responses and other sensitive information. The breach was caused by a phishing campaign that tricked employees into clicking on malicious links and entering their credentials.
How to stay safe when taking online surveys
What can you do as a survey taker to minimize the risks of getting your personal data compromised when participating in market research? Here are some tips:
- Check the survey site: Before filling in a survey, verify the identity and credibility of the market research company or platform by checking credible review sites such as HuginX. Look for signs of professionalism such as:
- A secure website (https)
- A contact address
- Opt-out option
- Transparent rewards
- Share selectively: Only provide information that is relevant and necessary for the survey. Avoid sharing sensitive information such as your social security number, bank account details or passwords. If you are asked to provide such information, question the legitimacy of the survey and report it to the market research company or authority.
- Use strong passwords: If you have an account with a market research platform or company, make sure you use a strong and unique password that is not easy to guess or crack. Change your password regularly and do not use the same password for multiple accounts or services.
- Update your software: Keep your devices and applications updated with the latest security patches and antivirus software. This can help prevent malware infections that can steal your data or compromise your system.
- Report any suspicious activity: If you notice any unusual or unauthorized activity on your account or device, such as unexpected emails, messages or transactions, report it immediately to the market research company or platform and change your password. You can also check if your email address has been involved in any data breach using tools such as Have I Been Pwned.
Is the survey site legit?
Signs to look for when signing up an online survey site for the first time:
- Transparent Rewards
- No Credit Card Required
- Secure Website (https)
- Good Reviews
- Easy to Opt Out
- Easy to Cash Out
- Excessive Profiling
- High Payment Threshold
- No contact address
- Complex reward programme
- Negative Reviews
- Lack of transparency
In addition to the fraudulent survey sites that are trying to scam you, the sites to avoid are the ones offering easy money and big join bonuses, but hard to cash out and opt out of. To use a cliche; if something seems too good to be true, it usually is.
What are the best platforms to check reviews of online survey sites?
If you’re looking for the best and most trustworthy platforms to check reviews of online survey sites, here’s a ranking to help you make informed decisions:
- Huginx.com: We are a bit biased on this one of course, but we know for a fact that we only publish 100% honest and authentic expert reviews written by professionals from the market research industry.
- Trustpilot.com: Widely recognized platform with a vast user base, providing transparent feedback from real customers.
- Surveypolice.com: Secures the third spot, offering an extensive database of survey site reviews, enabling you to navigate the survey landscape with ease.
- App Store and Play Store: While they offer user reviews for survey apps, they rank lower due to the potential for biased or manipulated feedback.
- Sitejabber: Acts as an essential resource for vetting online businesses, including survey sites.
- BBB (Better Business Bureau): Provides a formal platform to lodge complaints and read company reviews.
- Reddit: Known for its active community, it offers valuable insights into survey site experiences. However, it’s essential to remember that not all reviews are legitimate, as they can be manipulated.
When exploring reviews of online survey sites, it’s crucial to focus on legitimate sources. Beware of random finance blogs written by affiliate marketers, as they might provide biased and overhyped assessments to promote specific sites.
Instead, rely on numerous other reputable platforms where you’ll find helpful and unbiased insights from real users. Remember, not all reviews are created equal, so take the time to discern authenticity before proceeding.
Expert Reviews vs. User Reviews: Unveiling the Real Picture of Survey Sites
It’s no secret that respondents and market research companies often have contrasting perspectives when it comes to evaluating panel sites.
Take account blocking as an example. Respondents find it frustrating when their accounts are blocked due to inattentive survey answers, while for market research companies it signals that their quality measures are effective.
Let’s elaborate further on this:
Survey Site A: Offers an excellent experience for honest and diligent survey takers. It quickly blocks inattentive respondents from providing inconsistent answers.
Survey Site B: Provides an average experience for survey takers and is less strict in blocking inattentive respondents compared to Site A.
Survey Site B is likely to receive better user reviews on sites such as Trustpilot and Surveypolice because it annoys fewer people with its lenient approach to account blocking. On the other hand, Survey Site A might garner negative user reviews due to its stricter measures. This highlights the need for expert review sites like HuginX, which can analyze user review data objectively and provide more accurate ratings for survey sites.
Our expert reviewers delve beyond the surface noise in user reviews, offering a more insightful and unbiased evaluation of survey platforms. So, when considering a survey site, it’s crucial to take both expert and user reviews into account.
How GDPR protects market research respondents
One of the most important regulations that aims to protect the data of respondents is the General Data Protection Regulation (GDPR), which came into effect in the UK and all EU Member States in 2018. GDPR is a comprehensive and strict data protection law that gives individuals more control over their personal data and imposes heavy fines on organisations that violate its rules.
The GDPR applies to any organisation that collects or processes personal data of individuals in the EU, regardless of where the organisation is based or where the data is stored. This means that market research companies that operate in or target the EU market must comply with the GDPR.
Some of the key provisions of the GDPR that are relevant for market research are:
- Consent: The GDPR requires organisations to obtain clear, specific and unambiguous consent from individuals before collecting or processing their personal data. The consent must be freely given, informed and revocable. Individuals must also be able to withdraw their consent at any time.
- Transparency: The GDPR requires organisations to provide individuals with clear and concise information about how their personal data will be used, who will have access to it, how long it will be stored and what rights they have over it. This information must be provided in a privacy notice or policy that is easy to access and understand.
- Rights: The GDPR grants individuals several rights over their personal data, such as the right to access, rectify, erase, restrict or port their data. Individuals also have the right to object to certain types of processing or profiling of their data or to lodge a complaint with a supervisory authority if they believe their rights have been violated.
- Security: The GDPR requires organisations to implement appropriate technical and organisational measures to ensure the security and confidentiality of personal data. This includes encrypting or pseudonymising data where possible, limiting access to authorised personnel only and reporting any data breaches within 72 hours.
The GDPR is a powerful tool for protecting the data of respondents when it comes to data breaches. It gives respondents more control and awareness over their data and holds market research companies accountable for their data practices. It also encourages market research companies to adopt a privacy-by-design approach that minimises the collection and processing of personal data and reduces the risks of data breaches.
How to report data breaches
If a respondent suspects or becomes aware of a data breach involving their personal data, they have the right to report it to the relevant authorities. Depending on the location and nature of the breach, different authorities may be involved.
For breaches that occur within the EU, the GDPR requires organisations to report them to the data protection authority (DPA) of the country where they are established or where the breach affects individuals. For example, if a market research company based in France suffers a data breach that affects respondents in Germany, it must report it to the French DPA and inform the German DPA as well. The DPA will then investigate the breach and take appropriate actions, such as issuing warnings, orders or fines.
For breaches that occur outside the EU, the GDPR requires organisations to report them to the DPA of the country where they have a representative or where they offer goods or services to individuals in the EU. For example, if a market research company based in the US suffers a data breach that affects respondents in Spain, it must report it to the Spanish DPA or to the DPA of another EU country where it has a representative.
To report a data breach to a DPA, organisations must provide as much information as possible about the breach, such as:
- A description of the nature of the personal data breach, including how many people it affected and the type of personal data records compromised.
- The name and contact details of the data protection officer (DPO) (if they have one) or other contact point where more information can be obtained.
- A description of the likely impact and consequences of the personal data breach.
- A description of the measures taken or proposed to be taken by the organisation to address the personal data breach and mitigate its possible adverse effects.
The EDPS provides an online form and guidance for reporting personal data breaches for EU institutions and bodies. For other organisations, each DPA may have its own form and procedure for reporting breaches. The EDPS website provides a list of DPAs in each EU country.
For breaches that affect individuals in the UK, organisations must report them to the Information Commissioner’s Office (ICO), which is the UK’s DPA. The ICO provides an online form and guidance for reporting personal data breaches. Individuals can also report a data breach to the ICO if they think their data has been misused or not kept secure by an organisation.
Data breaches are a serious threat to the market research industry and its respondents. By following industry guidelines and taking preventive measures, both market research companies and respondents can reduce the risks of getting their personal data compromised when participating in market research.