Mumsnet Data Breach - Q&A

[JustineMumsnet]

As many of you already know, some screenshots of Mumsnet posts were recently uploaded to Twitter by a former Mumsnet intern – here’s a link to a previous thread discussing this in case you've not seen it.

Three of the screenshots showed an Admin’s view of the site and therefore contained the IP addresses of the posters concerned.

Understandably there have been loads of questions about the implications, about what data we hold and who has access to it so we've collated them here. Please do post any queries here or email [email protected] if you’ve any concerns or further questions.

Thanks and huge apologies if this has caused you any concern.

Just to let you know that we've added to the Data Breach Q&A page over here to answer some more questions

That is much improved. Thank you :)

Thank you KateMumsnet

And thanks also @JessicaJonesJacket for your very helpful and informative posts.

"Not all of our systems currently allow a complete data audit; we’re reviewing that in the light of this incident but we can find no evidence of a further data breach. All our emails and files are handled through Google Business Apps. When a staff member leaves, we suspend their account as part of the exit process. The account remains suspended for 20 days, after which Google deletes the data (as has happened in this case). We’ve passed this information on to the police, who will decide on further action regarding the intern’s personal devices."

You appear to be saying that you have no way of knowing exactly what information EH accessed as it has now been deleted?

Well that's reassuring

Were you using G suite? If so you have a limited time to restore the deleted data.

support.google.com/a/answer/6052340?hl=en

Have you employed a forensic IT expert yet MNHQ?

Why are you allowing data to be destroyed in a potential criminal case?

I hope hiring processes will include Google searches and looking at social media (including who they follow) from now on. I suspect moles will be wise to this though and make sure there's nothing interesting before applying.

You've handled this so badly, MNHQ, and that's what bothers people.

We are looking for robust action not a promise and a deletion of evidence. Perhaps it is just those of us who have dealings with data that realise the seriousness of the breach but the fact that this thread isn't trending and that you haven't emailed your users to let them know is hard to forgive. If you'd handled it better in the first place, users would be more reassured.

So if someone has, for instance, applied to review a book or product how long do you keep their address for?

So if someone has, for instance, applied to review a book or product how long do you keep their address for?

Longer than 21 days I'll bet.

The actual data breach, in and of itself, well I mean, it’s not great, but it happens.
However I think it has been handled so,so, so badly.
The apparent minimising, the apparent reluctance to report, the ‘a bit cross’ comment, the ‘I don’t think’ she has, ‘I don’t believe she has’ comments, when there’s NO way of actually knowing, referring to her contract of employment as if that were the issue rather than the actual law.
However, for me the worst part of it is learning that you’ve basically ‘made her promise’ to delete anything mn related she finds on her devices. I find Justine openly saying that astonishing. As a pp has said, it’s literally reporting someone to the police (whether that be as a ‘curtesy’,or otherwise) and then colluding with them to destroy any evidence. Then saying ‘I don’t know why people think we appear to minimising this/covering it up’. It’s madness.
I’m also extremely concerned that mn think that whatever we post is not sensitive personal information, when every member of staff seems to have our IP address, a complete history of our email addresses, actual home addresses, a complete history of private messages including deleted ones. etc etc.
We know that someone in the company will be able to access this data, but not that any and all could, including staff on flipping work experience.
I know that they’ve obviously had legal advice telling them to change this, and they HAVE reported now, but the fact is, it was initially said that basically ‘we’re dealing with this, we don’t see the need to report it at this stage as we’ve spoke to Emma and we believe it was a big mistake, and she’s assured us there’s nothing else, and said sorry to us’.
As I said before, been handled so, so badly.

Oh, wow, I didn’t realise the post was so long

Have MNHQ answered to anyone yet as to how long they keep a postal address on file?

Kreigers, I agree with everything you've said. MN only found out about the breach because of one diligent MNer. The stolen info could be out there on Reddit, Tumblr or a memory stick that EH's given to a friend. I have no idea why MN even contacted EH when they found out about the breach. They should have immediately turned over everything they knew to the police and ICO and let them deal with it. Some misplaced loyalty seemed to stop them from doing that. If EH has committed a crime then by allowing/encouraging her to delete any further evidence I'd say they're becoming dangerously close to being an accessory. I think they need to employ both new techie people and new lawyers.

Such a shame because I love the community here but this minimising will destroy trust in the site. (Mind you most of the users are probably completely unaware of what's happened - I have no idea why they haven't been told.)

@CrochetBelle I found this:

Competition entrant’s data is deleted after three months. Competition winners data is stored for longer for accounting reasons (vouchers and other prizes have a monetary value). We’re reviewing this policy, though - and if you could drop us a line via [email protected] we’ll make sure yours has been deleted.

I have a question @JustineMumsnet - I deregged a while back (PL blogfest incident) and a few weeks later made a new account using the same email.

Would it have been possible to link the two accounts?

I agree. I would have been less bothered re the data breach itself if MNHQ had managed the consequences better. And I am shocked that Justine doesn't think that what is posted here is sensitive data.

Thanks for the updated Q and A

As you say old email addresses will no longer be held when changed, does that mean that anyone who has already changed it will have the old one deleted automatically, or do we need to let you know somehow?

Also, just curious - are you removing postcodes that have been deleted too? Sorry if you have actually answered that and I've missed it!

I think mn poster number would sit better with me. Useless to anyone at surveymonkey then (which is what makes me uncomfortable - giving out real name/posting name linked data to a third party), whereas you'll know who's who at the MN end.

Exactly tartanscarf re the sensitive data.

Hi folks - thanks for all your questions - bear with us, we're going through them now.

@beyond11cisRetinol the old email will be deleted automatically. Any postcodes supplied at registration will also deleted when a user deregisters their account.