Update on the recent sharing of three users' IP addresses

[KateMumsnet]

Hi everyone

As many of you already know, some screenshots of Mumsnet posts were recently uploaded to Twitter by a former Mumsnet intern - here’s a link to a a previous thread discussing this.

Three of the screenshots showed an Admin’s view of the site, and therefore contained the IP addresses of the posters concerned.

Understandably, there are lots of questions about this, and we thought it best to address them in one stab over here.

Please do post any queries here, or [email protected] if you’ve any concerns or have further questions.

Thanks
MNHQ

You need to share that Ariel tweet with the police.

"I would say mumsnet being compromised in this way is more serious than financial details being hacked. ..... People discuss on this site the most confidential details of their lives in the trust that they are anonymous........."
I think this is the key, it's not just MNHQ being disappointed/dismayed over a breach from some one person that they had trusted and employed, it is every user on here who trusted MNHQ for years. And that trust has been sorely shaken. Saying, it wasn't that serious, there were only 3 IP addresses, we all know what that sounds like...........

We might only provide a first name, year of birth and burner email address with our sign up.

I'd be willing to bet that the vast, vast majority of sign-ups for Mumsnet as a whole are nothing like "burner" email addresses, but will be the same email address used for Facebook, with the privacy settings on FB set (as they are by default) to allow direct searching from email address to public profile, and will contain within the name part some substantial portion of the user's real name. MN isn't NM, but the idea that its userbase are predominantly experienced, privacy-aware people with strong cyber-security skills doesn't stand serious examination.

It would be a very interesting project for an MSc or PhD student in cyber-security, who was willing and able to come to an appropriate enforceable NDA arrangement with MN, to do a study of the linkability of sign-up data. There are massive ethical problems, and the ethics review would be challenging, but it's a key question we need answers to. Linkability of "social networking" datasets is assumed by some to be very hard, and by others to be incredibly easy, and my suspicion is that it's somewhere in between. But it really does need some concrete research on real data sets.

Can someone point me in the direction of the thread where MNHQ shared her apology as I'm curious what she said. I have looked at a couple of threads but can't find it.

I asked on a separate thread, but I will ask again.

If I signed up with an email but then changed my account details and switched to a different one, then is my old one still visible to the mods or is it just the current one?

I would think many of us would like to know, especially now.

NerrSnerr

www.mumsnet.com/Talk/womens_rights/3226060-The-MNHQ-Moderation-Team-Thread-2?pg=13

Slightly off-topic, but important in knowing who our information is shared with, you say...
The intern needed access to user information in order to carry out her work duties, which included contacting MNers to pass on press enquiries.

What type of press enquiries? Why would the press need to contact a Talk user? And how often does that happen to have it specifically written into the 'work duties' of a member of staff?

What else were her 'work duties'? Comprehensively, please...

I’d like to ask how you can be sure that no name identifiable info was stolen? MNHQ had my home address and name from a competition and it’s critical that doesn’t get into the public domain. I’ve de and re registered under this name but if it was taken it was taken. It would be simple to pop all that on a thumb drive and unless you’ve got a fully accountable access trail you can’t rule it out.

I honestly wouldn’t take this woman’s word for anything. Of course she will say she didn’t do anything else. The tweet above is a direct threat to release identifiable info and that could be life threatening for women with violent exes. It could lose people jobs. It has real world impacts.

I really hope the ICO and the police take this further or it will encourage other extremists to do similar. Hopefully the ICO are advising you on security measures. Hopefully the police will prosecute.

MNHQ... what a week, eh?

Thank you. This is a helpful summary. I'm glad the matter has been reported to the police.

I agree that the tweet above also needs to be referred to the police.

Are you conducting an investigation into Emma Healey's claims that she still has friends at MN who might make moderation decisions at her suggestion? Because we don't know what else they might do at her suggestion.

I do not believe for one moment that those are the only screenshots she took or the only data she stole whilst at MNHQ. But I suppose that this is in the hands of the police now?

Her "apology" is a joke.

@KateMumsnet
Please can you advise whether the intern would have had access to ALL my data? So, full name and email address provided at sign up AND all of my posting history?

And also, can you tell us whether employees all have mandatory data protection training and a clause in their contract

Sorry posted too soon..
And a clause in their contract about data protection?

Because a poster earlier today, who said she used to work at Mumsnet said she didn't believe their was.

we have spoken to the intern and Justine has said that's her firm belief

Dishonest liars sometimes are dishonest, and lie.

I know, that's a shocking revelation.

^^ Erm yes this!

Emma only got found out because an eagle eyed MNetter saw that tweet out of all the millions of tweets made that day/week/month - she didn’t fess up or hand herself in. I wouldn’t be taking her word on that single screen shot being the only breach of members privacy. It’s like when a cheat gets found out by their partner that they’ve been cheating - they’ll only admit to what they think you know/the bare minimum.

I appreciate the steps you have take MNHQ and I sincerely hope that the police do take this further and would like to be kept updated on the outcome.

I'm going to add to my earlier post about asking if she is related to any of the staff or owners at MN and ask if the selection procedure was followed completely (including references) and if she applied for the post in the normal way or was put forward by a friend or relation of someone at MN such as Justine.

Thank you @spontaneousgiventime

If I dereg then will all the data you have about me be deleted? Or will MN still have access to it?

Cotswold Justine has already denied categorically on the other thread that EH was a friend, relative or known to anyone at MNHQ

None other than an employee! No relation, friend of a friend, third cousin once removed. Nada. Niente. Nothing. Cross my heart and hope to die!

And yes, I hope MN are taking Emma's claims that she has friends still working at MN who are leaking her information seriously. She might be lying but equally she might not be. I feel a bit iffy posting on here now tbh and won't feel secure again until after we can safely say nothing is being leaked from HQ.

pleasedontgetthetoad I want to know the answer to that one too

From the guardian article:

A spokesperson for Mumsnet said Healey had now promised to delete all other Mumsnet-related material.

Which suggests to me those 3 screen grabs were not the only data stolen.

But hey, she’s promised to delete it, so, s’all good man!

So she says...

What happens to the data given to MNHQ if you apply to competitions and tick the box saying do as you will with my data? Apologies if this answered elsewhere, like the small print of the box.. but in light of this and GDPR and so on, will users be able to stop the future use of this information? And can admins etc see this as part of the user profile?

The title of this thread is pretty poor. I'm sure the words 'Data Breach' would make a lot more users aware of this.

I'd hate to think MNHQ is being intentionally ambiguous, but given some of the posts from @JustineMumsnet last night and this morning, I can't help wondering.

@Weezol

The title of this thread is pretty poor. I'm sure the words 'Data Breach' would make a lot more users aware of this.

I'd hate to think MNHQ is being intentionally ambiguous, but given some of the posts from @JustineMumsnet last night and this morning, I can't help wondering.

Here you go