The data breach, aibu it’s really not a big deal?

[Blackbear10]

So I received an email stating I was one of the 40 something users that had their accounts breached on MN. (In fact I was send the email 3 separate times)

Is there something I am missing? People seem to be getting very irate about the breach but I’m genuinely not sure what the problem is?
All the breach would’ve shown was your email address and any pm’s or old users names, surely that’s not an issue?

From the amount of ‘I’ve changed username for this’ posts when something isn’t even remotely outing I cannot for one second believe people have outing or detrimental info in their pm’s. I thought the whole point was people were desperate that nobody recognises them so they are unlikely to put real information on the site even in pm’s.
It’s really not like they would be pm’ing ‘Hi next door neighbor Susie, here’s my bank details for the money I owe you, oh and don’t read my posting history or you’ll see where I slagged off your CF’ing parking)’

It seems like users are baying for blood and taking it all incredibly seriously but honestly how has the breach actually affected you in anyway?

So AIBU to think the breach is not a big deal and not be remotely worried about it?
Or does someone want to educate me on what I’m missing?

Absolutely agree!

The law requires data controllers to notify users who may be affected by a data breach concerning their personal data (address, email, etc) - whether or not the breach is "serious".

This breach doesn’t really bother me either

It's not a big deal to me but I can understand if you have shared a lot on here and sent private details in PMs etc it would be very concerning to think others may have seen them.

YANBU I can't understand the outrage over it either

There are some posters who really enjoy the drama and love to berate MNHQ as I think they feel they're somehow important.

The posters who were worried about being doxxed for their 'feminist' views should be careful enough to avoid that anyway. It's discussed over on that board all the time and if you're going to be expressing extreme political views (and to many it is an extreme view) you have to be careful as some will strongly disagree and cause problems.

Am I the only one who didn't receive an email at all. I notice others have gotten one explaining the breach and some got ones when they had actually been breached, but I received nothing at all. Would there be a reason that I wasn't emailed?

I am not baying for blood but I can see where people are coming from where it had the potential to be a serious breach.

People post on here seeking support for sexual assault or advice for leaving an abusive relationship. Some posters give support over PMs, and intimate details are shared. If it were me, I can’t imagine I’d be best pleased to know a random person could have access to that level of sensitive information without my consent or control.

The law requires data controllers to notify users who may be affected by a data breach concerning their personal data (address, email, etc) - whether or not the breach is "serious".

Is that definitely correct? - I thought is had to be high risk before there is a legal requirement to tell the data subject - GDPR Article 34

Well its all relative isn't it. If you had shared very personal information on this site, which so many people do and then you found that someone had been able to access that information of course you'd think it was a big deal. If all you post is general thoughts about what your favourite ice cream topping is which is of no importance then its not going to seem as worrying.

The fact is no matter how you feel, the breech is a big deal. It allowed personal information, sensitive data and important information to be accessed by strangers. So of course people are going to be worried and wondering if the information they provide to the site is being kept safe.

There is a chance, albeit a small one that the information may be sufficient to be extremely damaging, it's not difficult to imagine that mumsnet is exactly the place where many people would come for support in very difficult situations and the PM's and name change history enough to identify these people in real life.

Blackmail against revealing an affair to a spouse or threatening to tip of an abusing spouse, or even simply embarrassing an individual publicly.

Of course, the actual chance that the individuals were breached by people who were interested in any of that (or even looked) is pretty slim, however the risk of serious harm certainly is, and whilst no the regulations do not require you to inform individuals of any breach at all, there is a potential risk of harm here and mumsnet probably don't actually know that it's non-existent, so they are almost certainly obligated to inform. Morally they are anyway, even if legally they could possibly argue that the risk is very low and doesn't require it.

I got the email at 12.30pm today but I already knew all about it.

Another reminder of being very careful what you share on the internet though.

If people are sharing personal information with strangers on the internet then this should be a wake up call to them to think about what they're doing. MN is great for the support it gives people at times of distress, but we are in the great majority strangers and that should be remembered when sharing identifying information.

I’m not worried about it (I don’t know if mine was done or not, I had a few emails and deleted them all) but I don’t PM people on here and don’t overly share anything
Saying that though, some people come on here and ask for advise about DV, abuse etc and name change constantly (some I’m guessing so if their partners came across it they find out all their posting history - some even deactivate accounts/multiple accounts from some posts I have seen on here when in a DV situcation) so I guess it could have quite bad consequences. Especially as most peoples email addresses contain their real name when they sign up

First rule of signing up to websites, create a made up email address that is nothing like your real name.

Received email at 4pm today. Just be mindful of what you share folks

I set up a separate email addy and registered with a fake name etc after the Geoffrey thing. The balls up this time doesn’t bother me, but i think each time it happens it erodes a little bit of trust that it’s a secure site. The last time it happened when armed police turned up at a posters house because of the hack totally freaked me out though - especially since I’d been picked out on twitter and my details had been given out. It made me really aware that the internet CAN affect real life.

I have always said that anyone who thinks this is a safe space needs to take a reality check.

If you’re sharing personal information with strangers over the internet then the risk is that any one of them could distribute it elsewhere anyway. Coming here for support over a partner’s affair etc was never confidential anyway because you’re putting it in a public space. And I’ve always been a bit at e.g. the hysteria over posts appearing in the tabloids since they were public anyway.

I had a non personal email address for mn anyway, and when I was logged out I simply created a new email address and re-registered.

For mn this is potentially serious because there are now laws about these kinds of things. But for the users crying about how the trust has gone and how mn have betrayed them and don’t care about the users etc etc etc they seriously need to get a grip.

The thing is though what are the chances of a user finding a person known to them in real life on MN then the ‘victim’ being one of 40 that had the data breach whilst also having revealing info so that the non victim could blackmail them?

It’s all so utterly unrealistic!

Some people were getting massively irate! I mean serious ideas of calling the ‘information commissioner’ and that MN somehow owes them something (I’m not sure what these people actually want other than to be spewing anger at MN in general)

I understand that if you have/had been in an abusive relationship then you might be worried (although I’m not sure what you are thinking will happen?) but how many people were demanding action and generally stamping their feet over nothing?!

Have a look at the sticky about this if you haven’t already, honestly some people sounded so neurotic and unhinged it got me questioning if I had missed something and was incredibly naive.

I agree, blackbear - and was a LOT more concerned when my financial details were hacked with the BA debacle, or my yahoo email hacked and spam messages sent to all my contacts

I wasn't affected personally but it must be worrying to anyone who's sharing personal stories on MN and someone then has seen their email address along with current and previous usernames and could (if they wanted) screenshot that info and put it online for all to see.

I can't be arsed to worry about things that aren't proven to harm me (or have harmed me).

The law requires data controllers to notify users who may be affected by a data breach concerning their personal data (address, email, etc) - whether or not the breach is "serious".

No it doesn’t. Data subjects are only to be informed if there is a high risk to their rights and freedoms, as measured after containment and protection efforts.

Mumsnet just told everyone because it was all over the site already.

Whether it was actually a high risk to any data subject would depend on what they had in their account. Very unlikely to have been a big deal.

Yanbu.

Some people are going way over the top and acting like their teenage diaries have been published. It’s very naive to treat MN like it’s somehow separate from the rest of the internet. I get that some people haven’t quite caught up with internet privacy but it shouldn’t be the shock some are making it out to be.

As it is, it was an IT fuck up. It happens. I suspect that people don’t have a realistic view of what is normal practice and what is and isn’t possible. In all honesty if this has really shook people up I would suggest doing some research (I think which are pretty good for concise information) and seriously consider whether this is for them.

No it doesn’t. Data subjects are only to be informed if there is a high risk to their rights and freedoms, as measured after containment and protection efforts.

That's GDPR, the right to notification may be due to PECR which has more obligation to notify, I would suggest that the private messaging in mumsnet does come under the definition of an electronic communications service.

The ICO have a handy chart in their PDF - ico.org.uk/media/for-organisations/documents/1583/notification-of-pecr-security-breaches.pdf to judge, I also think due to the high risk from the content that could be in the private messaging means that notification should be required under GDPR, but that is certainly a weaker suggestion. However the ICO would certainly required to be informed, and it's likely they would suggest informing the members in any case - particularly as everyone was aware that they could have been breached, informing those that were (and therefore those who were not) was advisable in any case.

Certainly the likelihood of harm is very low - probably no greater than harm from things which are shared voluntarily but mistakenly by many on here all the time.