Mumsnet Data Breach - Q&A

[JustineMumsnet]

As many of you already know, some screenshots of Mumsnet posts were recently uploaded to Twitter by a former Mumsnet intern – here’s a link to a previous thread discussing this in case you've not seen it.

Three of the screenshots showed an Admin’s view of the site and therefore contained the IP addresses of the posters concerned.

Understandably there have been loads of questions about the implications, about what data we hold and who has access to it so we've collated them here. Please do post any queries here or email [email protected] if you’ve any concerns or further questions.

Thanks and huge apologies if this has caused you any concern.

@KatherinaMinola

Repeating my question (also asked by other people) from the previous thread:

Are you conducting an investigation into Emma Healey's claims that she still has friends at MN who might make moderation decisions at her suggestion? Because we don't know what else they might do at her suggestion.

As I've said a few times I think Emma's comments about "getting her friends to delete things" were a bit self-aggrandising. There is no evidence of anyone on our staff mis-using mod powers. We've obviously raised the way we mod Trans issues internally and one or two of our team have said they're worried we're not being thorough enough in deleting things that are mean. This is something we'll continue to discuss to make sure we moderate fairly. But I don't believe we have any one who poses a risk to user data on the current team.

If there are no audit trails, then you cannot say what he has done on the system. And if I understood correctly from yesterday's posts, for 5 of her 6 months with you, she had unfettered access to members' personal data.

It seems you only have her word about her activities.

I'd put less faith in anything "Ariel" had to say than a MNetter arguing a loo brush is sanitary.

Follow up question. Have you checked whether any of your employees have connections to ‘Addis’, ‘Toilet Duck’ or ‘Harpic’?

Where pwople habe won competitions or done secret santa etc you had their address. Was this deleted immediately? If not, why not and how is/was it stored?

You said in your statement Emma had no more data. In the Guardian article it said she had promised to delete further data. Which is correct?

Are past email addresses/passwords kept on your system when they have been changed?

Have you checked there is no malware etc that has been left to provide back door entry?

Why are you saying apologies if this has caused you any concern instead of apologies for being so lax in allowing this to happen?

Given EH has been very vocal in the past about trans rights, #nodebate etc why was she able to get to this point and not screened out? How are you preventing that in future?

Why, when you have had a data leak before, was this able to happen? Why did you not implement a disaster plan?

@merrymouse

Shame on me, but no.

I confess I've not been intersectional on my toilet cleaning.

Look folks - Ariel has 51 follows on twitter. Not exactly an influence even within their own bubble.

Just trying to create some balance here wrt the veracity and reach about what's being posted.

Was Emma only able to access the admin control panel on her work PC, or did she have automatic admin rights if logging in on her personal devices too?

What about the embedded data in photos posted on Mumsnet? I understand this is no longer publicly accessible, but can people like this intern access it?

@MipMipMip

Why, when you have had a data leak before, was this able to happen? Why did you not implement a disaster plan?

I'm not sure the two are related MMM. In the last instance we were phished, swatted and ddos-ed. Following that we took measures to implement extensive firewalls and regular stress testing and white hack attempts. There have been multiple ddos attacks on MN since none of which I'm pleased to say have brought the site down (touches wood and everything else).

This breach was an employee taking screen grabs of user posts while she was logged in as an admin.

I'm going to sign off now but will be back tomorrow (god willing).

Thanks @JustineMumsnet

If I signed up with an email but then changed my account details and switched to a different one, then is my old one still visible to the mods or is it just the current one?

Yes, the old email is still visible, @chardonnaysPrettySister.

'Yes, the old email is still visible'

Why?

There is no evidence of anyone on our staff mis-using mod powers.

As RoseAndRose says, with no audit facilities, you have no evidence either way. I had hoped MN might have upped its game on IT security after Jeffreygate. I strongly recommend you overhaul your tech function - it seems very disconnected from the main business of MN. I assume you can see that with such a demonstrably poor grasp of IT, there is no reason to trust statements from MN on this subject?

You have been asked repeatedly what measures you are taking to establish what else might have been stolen. The truth seems to be you have no absolutely no way of doing so, so you're choosing to believe an intern with every reason to lie when she says she's disclosed everything she has.

I don't believe we have any one who poses a risk to user data on the current team.
You have no way to know this.

Will it be possible to do a GDPRstyle fill user delete before GDPR, or will those currently deleting their accounts be leaving traces in your database and backups?

*full user delete

one or two of our team have said they're worried we're not being thorough enough in deleting things that are mean.

What is the criteria you use to decide that something is mean, please?

Is the "meanness" criteria applied across all mumsnet threads and topics, or just trans issue posts?

Why can't women be mean about men? Why are you complying with that taboo? We have the right to laugh at men, to ridicule them and to point out when they look or act in a ludicrous fashion. Women laughing at men is a massive political issue - they murder us for it. Our deepest fear about men is that they will murder us, their deepest fear about us, is that we will laugh at them. Otherwise known as being "mean" to them. It is an act of defiance and dissidence to do it. It's the act of a quisling to put a stop to it because male feelz matter.

Don't be a quisling Mumsnet. It will damage your brand.

Slightly off topic but in light of the GDPR regulations are you changing any of your processes regarding personal data?

@ChampiontheWonderHamster

You said in your statement Emma had no more data. In the Guardian article it said she had promised to delete further data. Which is correct?

I’d also like an answer to this when you come back tomorrow. Thanks.

Both - Emma told us that she would delete anything she could find that was mumsnet related from her devices. This is not in contradiction to the Guardian article.

I know some of you think there's some kind of cover up going on here and there's not a lot, it seems, we can do to convince you otherwise. We've endeavoured to be as straightforward and honest about what's happened and how and why. We definitely can do some things better procedurally and technically for sure but we're not lying to you. Anyhow on that note I really am off. Night all.

You should still habe had a disaster plan. Why didn't you?

Why are you apparently so unaware of what falls under what data category? Are you getting good advice and did you previously?

Irrespective of your reports to ICO and the Police, will you be conducting your own internal investigations into this breach of data, i.e. by employing Forensic IT experts to analyse the extent of what information EH accessed during her internship?

I think that would go a LONG way to restoring faith in MN. I'm sure the organisation can afford it and it would be an appropriate response under the circumstances.

It would help if they analyse the data re: access of other MN employees over the period when EH was employed. It seems there's a lot of doubt as to whether Emma's claims about 'friends on the inside' is true or not. MN feel that it's not true whereas the users whose personal data has been compromised are not so convinced.

I think MN has an awful lot of bridges to build due to data-fat trolls lurking beneath them in plain sight.

"I'd put less faith in anything "Ariel" had to say than a MNetter arguing a loo brush is sanitary."

Except there might be one thing that the washing-powder person may be right about.............(some) MNers are cockroaches, which means we can survive a nuclear blast, unharmed...........I'm brandishing my loo brush with my antennae. Plus more for MNHQ (these multiple legs come in handy!)

I suppose the real question is are you are of what a massive deal this is? It could be nothing, she have really only took those screenshots and will do nothing more. Or it could be huge with her handing data straight over to TRAs. But it is coming across very naively.