Mumsnet Data Breach - Q&A

[JustineMumsnet]

As many of you already know, some screenshots of Mumsnet posts were recently uploaded to Twitter by a former Mumsnet intern – here’s a link to a previous thread discussing this in case you've not seen it.

Three of the screenshots showed an Admin’s view of the site and therefore contained the IP addresses of the posters concerned.

Understandably there have been loads of questions about the implications, about what data we hold and who has access to it so we've collated them here. Please do post any queries here or email [email protected] if you’ve any concerns or further questions.

Thanks and huge apologies if this has caused you any concern.

Have to admit I was very surprised an email hadn't gone out to everyone. It's standard practice.

Yes. I think it's pretty poor that all users haven't been emailed. It's the least you can do to actually let people know about the incident.

Hello everyone - just a quick one to say thanks for all your comments, and to let you know we've now stickied the Q&A page.

@KeneftYakimoski just a note to say thanks for the link to that Feynman report - it's brilliant.
Not just for engineering either. It applies to any group of people kidding themselves on that things are ok by changing the way they look at it.

I and presumably many others have stickies turned off. I do think an email is the least we should expect.

I and presumably many others have stickies turned off

I'd love to do this - where is the option?

Er, in customise somewhere? Sorry, I turned them off literally years ago so I don't remember but it's with the options to show OP highlighted and threads upside down and 100 posts per page etc.

@MNHQ At time of posting there are a number of threads appearing from first time posters canvassing MN users on being GC and Trans issues generally. I have reported via usual pocedures.
Hopefully, I am being over cautious about this and seeing patterns where there are none, however given your failure to manage the recent issues, please tell me you have increased overnight moderation for the weekend at the very least.

Is it possible that MHQ does not intend to send a membership wide advisory that there has been a breach? It needs to go out ASAP!

This is very scary. Someone mentioned on the other thread that HQ can read all your PMs, and can see all your name changes etc. That's fine, as long as it's restricted access. But if someone who is working as an intern for few months can access them as well , it really scares me. Seems like people started deleting past posts. But I've read on one of the thread(Feenie one) that HQ still can see the deleted posts. That makes me feel even more scared to post anything personal, especially if you can't really trust who are the people have all the access to our info.

This concerns me too. Why would you ever set your systems up in such a way that an intern would have that level of data access? My experience is in e-commerce rather than social media, but anywhere I've ever worked that level of data access would be available to managers only, and even then some data would only be accessible to more specific roles. I've never heard of an intern being given that kind of access. Justine says they've since changed that, which is great, but my concern is, who made the decision to allow that level of access in the first place, and do they still work for Mumsnet?

What I'm getting at is that a competent IT department should never have allowed that, and nor should upper management. When access is requested for a specific role the response should always be "why, and is it really needed in order for them to do their job?"

The responses to recent questions indicate that there's still a lack of understanding of how to manage security. People pointing that out are being handwaved away. That does not fill me with confidence that better security protocols will be put in place.

This isn't about having a go at Mumsnet, or panicking. The stolen data is already out there, too late the fix that now. What the people raising issues are trying to do is make it harder for bad actors to create problems in the future.

I think we have to bear in mind that MNHQ is responding to three problems. One is a person acting in bad faith. The other is how MNHQ manages their staff, systems and processes.The third is how they manage user concerns.

There's a tension between them which impacts on what can be posted here.

Telling the general public (which is what happens when they post here) your recovery and security plans would benefit saboteurs. Sending an user-wide email when you're unsure how much your system and security have been compromised could be unwise until the investigations have been completed.

I appreciate why people are concerned and want answered but MNHQ have to address and balance all three issues in a way that enables them and IOC and the police to complete their investigation and that will provide most security going forward.

Oh absolutely, there are reasons not to tell us what they're doing to update their systems and protocols. It's the fact that they don't seem to think they need to do so that's worrying people.

Angry Yy but being cautious and being incompetent are going to look the same at this stage unless they put out a holding statement that says 'we can't provide any more detail until we, the IOC and the police have completed our investigation'. But that's a response that could also badly impact faith in the site. In an ideal world, they'd release a statement from an independent IT/DPA company saying they're responsible for creating a robust system (processes and IT) going forward. But, in the current climate they have to make sure any external consultancy isn't compromised.
I agree with your point about, what seems to have been, universal access to the user database rather than it being staggered on a 'need to know for your role basis'. But there have been posters on other threads saying they have similar access in other organisations when they are in PR/comms' roles which tbh I find staggering. Segmenting access and protecting data have been fundamental principles everywhere I have worked.

Yeah the people going "oh my company does things like that too" are making me wonder if I've just really lucked out in terms of working for companies not run by idiots.

That sounded harsh. I'm not suggesting that the people here saying their company allows that are idiots. Whoever set things up that way otoh...

They could send out two emails, the first saying "We have had a breach, we don't think it's serious but we have launched a full investigation and security review" instead of just trying to pretend it hasn't happen.

I'm cross about what happen. It's bad, it shouldn't have been possible but as people have said it is very hard to do anything against a determined individual. I am furious about Mumsnet's response. They are minimising it, they are not admitting they have no idea of the size, they didn't plan to report it until pressured to, they are taking the word of the person responsible that there is nothing worse. They appear to have no idea of how serious this potentially is and don't appear to be listening to people telling them. They also have no idea of the type of data they hold. I'm struggling to forgive this.

I'm not sure that they never planned to report it. I think Justine made her initial responses so there was a presence on the boards but, rightly, she didn't decide or announce which may be two different things their response until she had taken advice from (I'm guessing) their IT, legal and DPA teams, as well as the police.
As for a mass email, I would want MNHQ to be sure of the security of their system and tbh, their staff, before sending a mass email which handily collates all users' details into the one email list (or multiple email lists).
I'm not trying to reassure you MipMip. This has shown up massive failings. But it's rare for a company in crisis mode to be expected to be as transparent as we're demanding. And I'm very conscious of the gfs, trolls and saboteurs currently posting all over MN who would love a blueprint of their future security precautions.

@Tartanscarf

You also have pre ticked boxes for emails to be sent is that due to change prior to GDPR?

Yes @Tartanscarf - pre-ticked boxes for email or data content will be left open from next month, in line with GDPR.

Hi all

Just to let you know that we've added to the Data Breach Q&A page over here to answer some more questions.

“We’re now going to change our processes and will no longer retain any but the current email address.”

Thanks for this, MNHQ!