Update on the recent sharing of three users' IP addresses

[KateMumsnet]

Hi everyone

As many of you already know, some screenshots of Mumsnet posts were recently uploaded to Twitter by a former Mumsnet intern - here’s a link to a a previous thread discussing this.

Three of the screenshots showed an Admin’s view of the site, and therefore contained the IP addresses of the posters concerned.

Understandably, there are lots of questions about this, and we thought it best to address them in one stab over here.

Please do post any queries here, or [email protected] if you’ve any concerns or have further questions.

Thanks
MNHQ

Would she have been able to access only the email address with which you are currently registered? Or would she be able to see history of former addresses used?

Thanks to everyone about the email information.

The one slightly odd thing I encountered when changing my email address earlier was that my old email address was showing in the Postcode box (sic) even when the new email address was showing in the Email box. There was no postcode showing anywhere.

I wasn't able to delete my old email address from the Postcode box but solved the problem by entering a postcode there. A real postcode although not necessarily my own current one!

I don't imagine it's supposed to work like this is it?

Thanks for the update, and for dealing with this issue so far.

This bit I think needs a bit of clarification:

”We’ll also be re-stressing to everyone who currently works for Mumsnet their personal responsibility to our users, and reaffirming that a commitment to protecting their data is a fundamental, non-negotiable company value.”

It’s not a “company value”, it’s the law, and I hope that all your staff, especially Emma Healey’s “friends on the inside” have unequivocally been made aware that data breaches of this nature are a crime.

Frankly, if no further action is going to be taken against Emma, her friends may well be thinking it’s a risk worth taking to continue their crusade.

Eh? They asked what else she may have taken and she said 'nothing, Miss, honest. I'm soooooo soooooo saw-weeeee (please please please don't the call the police)'

If it was my business, I'd be on to my lawyer (preferably a scary one).

@KateMumsnet

Thanks for the response.

I can appreciate that it's an extremely shitty experience for you and your colleagues to have to defend your work processes and integrity because of the vicious behaviour of a workmate you had likely regarded well. So sorry for you all and

However...

I find it INCREDIBLE that you take her word that she has not taken anything other information. In particular, I find it highly improbable that she screenshotted only those posts that were on that particular thread. Given the premeditated and politically motivated nature of this crime, I believe she's lying to you.

Given this issue, how can you be sure she hasn't shared these screenshots with anyone else?

I do hope the police can resolve this issue, because it's a very big concern of mine

Scarlett

I don't imagine it's supposed to work like this is it?

I don't give my postcode to anyone unless I absolutely have to. Mumsnet don't need it. Twitter don't need it. My Fitness Pal doesn't need it. Their marketing department might want it. They might even design the webform so as you have to provide 'it'. But unless you are a) expecting snail mail correspondence/deliveries b) Have contractual/financial/legal correspondence, you don't need to give to them the real one. Don't give them more data in order that they can further profile you.

Is EH going to be prosecuted? This is a data breach, is MNHQ going to be subject to a civil monetary fine of say....£60-90k???

That's not the rigorous investigation we were hoping for, MNHQ. You just asked her and took her word for it?

Can you confirm that she is not related to any current or former MN owners or staff?

It'll be a fuck lot more after the 24th may!

Would she have been able to access only the email address with which you are currently registered? Or would she be able to see history of former addresses used?
I would also like an answer to auntiestella's question. Previous names I was known by, too? (Real, not usernames)

They've contacted the police and reported it.

Short of kidnapping her and keeping her in a cupboard that's really all that can be done I think.

Thanks, Assigned.

It was just that the only way to get rid of my old email address from the screen was to enter a postcode. And if I'd wanted MN to have my old address on display I wouldn't have bothered to change to a new one.

Hello again.

Sorry we can't keep up with this thread in real time. We will get to all your questions when we can.

Just wanted to point out, as perhaps not everyone will have seen it, that we have reported the incident to both the ICO and the police. So some of it is in their hands now, but we didn't want you to think we just put in a quick phone call to the intern and left it at that. That's absolutely not the case.

Yes, it is our belief that this isn't an 'ongoing incident' in any way. However, we definitely aren't leaving it at that and we are continuing to pursue it and do all we can to find out more, improve our own systems and answer questions and give as much information as possible.

While we hope the knowledge that Justine believes there not to be an ongoing problem here will make people feel less uneasy, please be assured we definitely don't see that as a panacea or an end to the issue.

Again, thanks for your patience and do keep any questions or concerns coming.

What I find astounding from MN & Justine is the absolute lack of contextual awareness around data storage and misuse. We might only provide a first name, year of birth and burner email address with our sign up. But that, pieced together with the near enough area we live from the IP address in context with our entire posting history (including name changes for sensitive posts) is more than enough to narrow down the data to a small enough level to clearly identify individuals. Email addresses can be searched for on FB etc to pull out individuals.

I would say mumsnet being compromised in this way is more serious than financial details being hacked. Monies can be compensated for, or at least recouped once you've dusted yourself down. People discuss on this site the most confidential details of their lives in the trust that they are anonymous & won't be doxxed - addictions, debts, relationship problems, friendship whinges, school bullying, medical issues, STDs, pregnancy decisions, domestic violence, sexual assault, political beliefs, all of which are potentially catastrophic to a greater or lesser degree if publicly revealed. The consequences could be socially seismic, not to mention life-threatening if someone has a violent ex.

I hope the offender is prosecuted, plenty of other data stealing ex-employees have been, although realise that's not your call to make MN

If I request all my posts be deleted, under all usernames, can the mods or anyone at MNHQ see them after they’ve been deleted? Or are they gone from all systems?
My understanding is While it would be good practice to do that now Champion it will be a legal requirement from 25/5/18 under the GDPR right to be forgotten.

To delete it completely, I mean

@ChampiontheWonderHamster

If I request all my posts be deleted, under all usernames, can the mods or anyone at MNHQ see them after they’ve been deleted? Or are they gone from all systems?

Mods can see that you posted, Champion, but not what you actually wrote.

Highly unlikely to mean anything but just a heads up.

Ariel Moss's tweets are something else. Arguing that Mumsnet is plotting the genocide of trans people.

I'm most worried about PMs and name change history. Lots of people share RL details via PM and even if you carefully and regularly delete your own, it's there in someone else's inbox and you have no control over it. I can't think of a reason why anyone but higher up mods would need access to these.