Mumsnet Data Breach - Q&A

[JustineMumsnet]

As many of you already know, some screenshots of Mumsnet posts were recently uploaded to Twitter by a former Mumsnet intern – here’s a link to a previous thread discussing this in case you've not seen it.

Three of the screenshots showed an Admin’s view of the site and therefore contained the IP addresses of the posters concerned.

Understandably there have been loads of questions about the implications, about what data we hold and who has access to it so we've collated them here. Please do post any queries here or email [email protected] if you’ve any concerns or further questions.

Thanks and huge apologies if this has caused you any concern.

Hi Justine, just carrying my questions over from the other thread...

A former MN employee stated upthread (on the other thread) that sign up info is available to any mn admin. I don't have a problem with that necessarily, but just wanted to check - if I have changed from the info I signed up with to something less outing (say "Jane smith" and "[email protected]" to "Jane" and "[email protected]"), are both visible to you, or can you only see the updated one?

And with PMs, a few people have sent real names or addresses to one another. After Jeffery we were advised to delete anything like that in case of a breach, but can MNHQ see deleted PMs?

Then last one... I'm a product tester with the insight team. Assuming (hopefully!) the answer to the above two posts is that admin can't see my old/deleted data, are they able to access the insight team data?

I'm actually "out" in my real name so the TRA comeback isn't a massive concern in my case, but there is a lot of sensitive info on my mn posts over the past nine years that I'd rather not have linked to my real (quite uncommon) name.

@JustineMumsnet

I don't think there is a cover up going on but you cannot let her delete any extra data she has without disclosing it to you. You also cannot just accept her word on this matter.

You need to get copies of the other data she has and make the appropriate reports and notifications to anyone whose data has been compromised. You also need to find out whether she has shared that data with anyone else. You should also inform the police that she may have further data that she might destroy as this is evidence of potential criminal action.

I know some of you think there's some kind of cover up going on here and there's not a lot, it seems, we can do to convince you otherwise
Making her promise to delete anything mn related rather than forcing her to disclose it to you/the police probably isn’t helping tbh...

Emma told us that she would delete anything she could find that was mumsnet related from her devices

So to be clear, you've reported an information breach to the ICO and the Police, and then agreed a strategy of destroying evidence of that breach with the person who has admitted carrying it out?

(some) MNers are cockroaches

Hasn't Milton suffered enough online vilification already without being brought into a TRA data theft debate

MIP

A disaster plan...

In IT terms that's generally related to a major systems outage.

That's not the case here.

In terms of a data leak, yes it's not great but being frank we are not on the scale of Facebook here.

3 users - had IP address linked to them that might - just might - have given a geo location within 5/6 miles. Dynamic IP address which change. 3 users.

Yes 3. On the the basis of screenshots by a politically motivated intern.

Honestly I think a lot of people need to get a grip.

I've seen less posts about FB data breaches of millions of users than this.

Beyond they said the old identifying emails are still accessible.

I’ve given you my real name and address before, not when I signed up as I signed up with a fake name but because I won something in a competition.

Would those details still be held by MN and would a member of staff be able to easily access that information if they wished?

In view of the reputation MN are getting in the TRA world are you concerned Justine that people may try to infiltrate MN by applying for jobs, pretending to be uninterested in Trans issues and then doing something awful to cause a load of chaos of MN and it’s users? Like aa massive data breach/publication?

@SomeDyke

You might be right on that :-)

After the life extinction event the only think left is left is MNetter with a loo brush, clean carpets, penis beaker in the bedroom, EKL in the garden brandishing Zoflora in a water cannon ;-)

I'm concerned that you appear to be retaining old email addresses. What business need do you have for this - if you don't have a legitimate reason for retaining it you should be deleting it from your records?

Thank you for at last calling this a data breach.

I just read this on the 'sharing' thread: What people volunteer to post is not classed as Sensitive Personal Data ... Any sensitive data that we ask for/collect (eg medical info) then we have a legal obligation to make sure we protect it. If people volunteer that info to a public forum that’s a different thing.

I don't believe this is correct.

All the data you hold on us is volunteered from our sign up data to 'what's for dinner?'. Behind the scenes you can work out exactly what RL identifiable people had for dinner. As well as our medical issues, when our last period was, the ins and outs of our abusive relationships, the difficulties we faced contemplating a termination, how we vote, what we do in bed ... bla bla bla, and of course what we think about the transactivist agenda.

This is what makes all the data you hold on us sensitive and personal. The BIG draw to posting on MN is we can describe what we're going through and say what we think anonymously. You appear to be not bothered about the consequences of compromising this privacy.

Maybe you have shit hot lawyers who are finding all the loopholes to make this just about legally OK. It's not morally OK though and everyone here can see it. We were only here in the first place because we trusted you.

JustineMumsnet said on the other thread about SPD:

If people volunteer that info to a public forum that’s a different thing.

People are not volunteering the info on a public forum where they are publicly identified - they are sharing the information in an anonymous forum and it is MNHQ's responsibility to maintain that anonymity. As bumble said, primarily by keeping the data sets separate.

For Justine and all the team.

Thank you.

Bumble I totally agree!

I would expect some sort of disaster plan, yes. This would usually be done in stages so if x happens you compliment a, if y happens you implement a+b etc.

Something like this there should be procedures in place - automatic report to the information commissioner, statement sent out acknowledging what has happened within an hour, IT checking for malware and potential breeches, attempts made to find out what information was taken, lawyers involved to make sure no evidence deleted. As this was an internal attach all staff who she was friendly with or worked with should be interviewed separately, not suspecting them but they might have seen something that would help and you don't want memories influenced by each other.

Any organisation that holds data on this scale should have a plan like this. If it was an external breech that would also include shut down from the net to stop further information trickling away or more attacks. And forensic IT searches for anything hidden and to reveal what had been taken.

What is angering me is not that this has happened (although it shouldn't have done) it's that this stuff isn't being done. The investigation appears to be asking EH what she took and if it has been passed on. Mumsnet don't appear to know what category the information they have is. They are keeping old information - why do they need your old email if you have changed it? And they really don't appear to grasp the potential damage if their protege has not told the truth and has more information that she will either publish or quietly pass along to others.

And I can't spell breach*

There have been some great questions asked but keeping asking them in the context that there has (and it's clear this is not true) been a mass data breech is just feeding the people and ideology who feel the same way as Emma.

FFS get a grip and stop fuelling nonsense.

I am asking them in the context of not knowing the size if the breach, only what has been revealed so far.

PencilsInSpace and FloraFox have articulated this perfectly. As usernames can be linked with personal data (names and addresses) and sensitive personal data (posts on e.g. pregnancy choices, disability, race) then a raft of information on one person could easily be found, depending on where this data was held and how securely. This goes way beyond one debate and into a wider security issue. MN should be very glad this happened now and not post-GDPR.

I'm not going to demonise EH but after reading the other thread... really Justine? You feel "a bit cross" with the intern? No wonder so many people are asking if you're taking this seriously!

I LOVE MN. Honestly. I love it, i was fangirling all over Justine at the weekend and I'm sorry that this shit has been laid at her door.

However, I do not understand the willingness to engage with a disgruntled ex employee who has betrayed you, her colleagues and the users of this website. Betrayed not only the women who feel this is the only space they have to verbalise their concerns about GRA, but everyone else who needs or takes value from this place for innumerous other reasons. She did this knowing that it would damage you and risk this forum's existence. She may be "sorry" and you may truly believe her, but sometimes sorry just doesn't cut it.

I know she is an ex colleague, but she gave zero shits about that when she decided to use her valuable experience at MN to pouff up her own ego and profile. I don't care that she's "deleted" everything because, as has been suggested by MN mods previously, she likely sent the material on or stored it elsewhere during her employ. There is a possibility that this is no longer within her control. Like a cheating spouse on Relationships, she will tell you what she calculates she absolutely has to and no more. Trusting her would be incredibly naive at this point, and I hope there's something going on in the background that isn't being disclosed rather than simply taking her word for it.

[exhale]

Excellent post Craic.

why do they need your old email if you have changed it?

I can see how that one might have arisen, actually, although I think it's a weak argument. These days we take it for granted that anyone can obtain any number of email addresses which are not linkable, but that was kinda-sorta not realised a decade ago. I mean, it was in fact just as true, but my memory of the period is that it was kinda-sort assumed that email addresses were a bit of a fag to change, so people only did it as a last resort. So I can imagine that it was decided to keep old email addresses as part of the "previously banned posters" detection: if someone registered a new account you could check whether it was associated with an old, troublesome email address.

It's a pretty crap argument, not least because my memory is that donkeys' years ago I signed up for an MN account with a mailinator email address, which is the burner's burner, so there was no serious joined-up attempt to enforce a "banned email" policy with any teeth. But I can imagine it was felt to be useful when tracking people who posted, got banned, and popped up again. I don't think it was useful, but it's enough of a "business purpose" for the era.

Now, of course, it's absurd to keep old email addresses. No upside, lots of downsides. Dumping that archive would be a very good idea.