Mumsnet Data Breach Q&A, April 2018
Updated 21 April 2018
What data has been published?
Three posts from users were published by an intern on Twitter, with their corresponding IP addresses. No other data relating to users has been published thus far.
Has Mumsnet contacted the three users whose IP addresses were visible?
We’ve contacted two of them via the email addresses that we hold for them. The third poster had already de-registered; that process deletes their email address, so we no longer have any way of contacting them.
Are the three users at risk of having their real names or addresses released?
A user’s IP address can be used to determine the approximate location of the user at the time the IP address was recorded by Mumsnet. Sometimes this can be determined to within a few miles – but more usually only to city-level.
Some IP addresses are shared with hundreds or thousands of other people (for example, if you are using a company laptop or in a coffee shop).
Whilst an IP address on its own can’t identify an individual, there is the possibility (for 'static IP addresses' in particular) that the user’s approximate location (down to 5 or 6 miles), combined with information that users may have included in posts, could help someone guess who the user is.
However, the three IP addresses that were made public were ‘dynamic IP addresses’. This means that they are unlikely to refer to the user’s actual location, and could refer to a different city entirely.
Are the three users at risk of being contacted?
IP addresses can’t be used by anyone to contact you personally. The only exception is if your Internet Service Provider (ISP) has been legally compelled to provide your personal details, like your name or email address – under a warrant from the police for example. Your ISP would not respond to a request for your contact details unless legally required, and there would be no legal requirement in this case.
What other data did the intern have access to?
The employee had access to some user data – the extent of that data depends on what each individual user provided to us on registration. Much of it is optional, but at its maximum it could include the following: email address, name, gender, the date you joined Mumsnet, IP address at the point you joined; the names, DOBs, gender and number of children you have, if you gave that information, postcode and username history, along with private messages you sent or received.
There is, therefore, a theoretical risk that the intern has taken email addresses and postcodes of users and could publish that data. As far as we can ascertain, we do not believe that she has accessed any data other than in the course of her work duties or that she took any additional data before leaving Mumsnet.
Has Mumsnet reported this incident to the Information Commissioner ICO and Police?
Yes, we reported this to the Information Commission and the Police today, 19th April.
How seriously are you taking this data breach?
After further investigation of this incident, we believe that the risk of data exposure beyond the three IP addresses is small – but that does not mean we are not taking it seriously, hence informing the police and reporting ourselves to the ICO. We’ve also made some immediate changes our existing data processes. We've reiterated to the Mumsnet internal team how seriously we take data protection and reminded everyone of their legal and moral obligations when it comes to user data. If you are at all concerned, please mail email@example.com.
Why did the intern have access to this data?
The intern needed access to user information in order to carry out her work duties, which included contacting MNers to pass on press enquiries.
IP addresses are used by the moderation team to help identify bona fide users. As mentioned above, we’re removing them from the general admin view of the site today, so from now on only relevant people at MNHQ will see this data.
Why did the intern need to contact Mumsnet users on behalf of the press, and how often does this happen?
Occasionally the media ask our help to find case studies because a particular issue is in the news. We don’t allow the press to contact Mumsnet users directly, but if we feel that someone might wish to know about the opportunity to speak to the press, we will email them to let them know. It doesn't happen very often – a few times a month only.
How do you ensure that staff understand their legal obligations with regard to data?
All Mumsnet staff sign a contract containing a clause which expressly forbids the disclosure of third-party data, although that won’t stop someone who is determined to do so.
We believe that our staff take their personal responsibility to Mumsnet users very seriously indeed – it’s a central plank of our company ethos, and part of a raft of strong personal values that we look for when hiring. In this instance, we made an error of judgement, and we’re very sorry about that.
What steps have been taken to determine what other data may have been stolen?
Not all of our systems currently allow a complete data audit; we’re reviewing that in the light of this incident but we can find no evidence of a further data breach. All our emails and files are handled through Google Business Apps. When a staff member leaves, we suspend their account as part of the exit process. The account remains suspended for 20 days, after which Google deletes the data (as has happened in this case). We’ve passed this information on to the police, who will decide on further action regarding the intern’s personal devices.
Are there any other data risks you’ve identified that contributed to these IP addresses being shared, and what steps are you putting in place to prevent a repeat?
We are making a number of changes to data storage and users’ permissions in relation to GDPR, and these will be going live next month. We will be further reviewing our data access policies and controls in light of this situation to see what we can learn and whether there are additional preventative measures that we could implement. We’ll also be reviewing our training processes, particularly for Interns.
What else have we done to ensure user data is safe?
We reviewed which staff have access to user information before the intern left, and in fact, we removed this intern’s and other staff members’ access as part of that review.
We’re removing IP addresses from the general ‘admin’ view of the site today.
We’ll also be re-stressing to everyone who currently works for Mumsnet their personal responsibility to our users, and reaffirming that a commitment to protecting their data is a fundamental, non-negotiable company value.
Have we scanned for malware which might have been left to provide backdoor entry?
Yes, we have anti-virus/malware checkers installed on our computers and they run regular scans. In addition, only technical staff have administrator privileges on computers – no other staff are able to install software.
Would the intern have been able to access only the email address with which a user is currently registered, or previous emails too? What about earlier usernames?
Yes, the intern would have been able to see a user’s current email and their email address history, as well as the previous usernames associated with that account. But as we’ve said previously, we do not believe that she accessed personal data beyond what was necessary as part of her role. We have, till now, retained email address histories – they were used by our Moderation team to identify bona fide users. We’re now going to change our processes and will no longer retain any but the current email address.
The email address I registered with is identifying – how can I change it without losing my username?
You can easily change your email address via your account page – it won’t affect your username. Until now, we have stored your email address history, but this will no longer happen.
How can I delete my Mumsnet account and all the personal data associated with it?
If you would like to de-register from Mumsnet and remove all the personal information you’ve given us, please firstname.lastname@example.org with the usernames that you would like to deregister. Your Mumsnet posts won’t be deleted, but there will no longer any personal information associated with them. If you are concerned about any particular posts, you can report them and we will delete them for you. Alternatively, you can request a retrospective name change – this means that all your previous posts will appear under a different username.
Do we have a role-based data access policy in place?
Yes we do. All our admin functions are role-based and we are able to control which screen functions each role has access to. We are refining these access levels further as a result of this breach.
What measures are you taking to ensure that only select, trusted staff can access personal information?
In February of this year we streamlined the number of people with access to user data, and removed permission from anyone who needed only occasional access. In light of this data breach, we have further reviewed who has access to this tool and restricted access even further.
What information governance/data protection training for staff to you undertake, and is it mandatory?
All employees all have a data protection clause in their contracts. Mumsnet’s information security policy outlines the measures staff must take in order to protect the data we store. It is a requirement of employment that all staff read and agree to comply with this policy. We have monthly all-staff security updates to highlight new security issues, and to remind people of their security responsibilities, as well as to give staff an opportunity to raise issues and ask questions.
Is there any internal moderation or overview of deleted posts on sensitive topics that would reveal bias on the part of individuals in the moderation team?
Yes, we often review and discuss moderation and it would be very clear if one member of the team were making decisions which were out of step with our guidelines. But the intern concerned was not part of our moderation team and made no decisions about which posts should be deleted.
Is our interview process robust enough?
We always make sure we interview people at least twice, with one interview dedicated to understanding whether the candidate’s personal values align with our own. We also take up two references for every employee. In this instance, we failed to spot that these values were not strong enough – we've learned from this, and we'll be making this aspect of our hiring process even more robust from now on.
Has this affected Gransnet?
No, Gransnet’s systems are entirely separate and Gransnet users have not been affected in any way.