My data has been breached

[Simbaya]

Respond please.

@DeaconBoo I imagine lots of posters will. Some people only need a couple of online breadcrumbs.....

Wow

Hi again, apologies, I can see that my response may have looked abrupt without context:

Here's what I posted on the thread about it when it happened in case you missed it:

JustineMumsnet

We had a temporary glitch with 'Report this post' for a short time today which meant the email of the person reported was included in the report and in a few cases in responses to those reports. This applies to a very small number of users and we'll be contacting them shortly to let them know. Our DPO has been informed and on his advice we'll report it the ICO if appropriate. Please be assured the issue is now fixed. We will of course be examining how it happened to ensure it never happens again. We're really sorry for any concern caused.

An update on this:

We emailed the affected users overnight offering to delete their posts, a retrospective name change or to change their email address. There are around 20 users affected.

The problem was caused by human error our end - our proper processes weren't followed. It started at 12.45pm yesterday and was fixed as soon as we were alerted (around 7pm).

It applied only to the emails/usernames of users who had posts reported (not to those doing the reporting). (Their details were included at the bottom of replies to the person who reported the post)

We know how the error occurred - we obviously have checks and balances in place to stop this kind of thing happening and in two very clear ways the proper procedures weren't followed in this instance.

We'll be reporting ourselves to the ICO today.

Obviously this is deeply disappointing and I understand that people are unnerved. I can assure you we are taking it very seriously internally to learn from it and make sure nothing like this can happen again.

I'm really sorry this has happened and apologise wholeheartedly to all those who've suffered undue concern as a result.

fucking hell, the absolute cheek of of posting the reported posts (which are the words of a twat to be fair but that’s not the point) to try and deflect blame. WHY did you include the reported posts on here @JustineMumsnet? You’re in email contact with OP so seriously, what was the reasoning behind that?

I don't understand why posters are down playing this. JK Rowling has been doxxed and received death threats for holding different opinions to others. Leaking private information has the potential to lead to serious crime.

Do play nicely. It wasn't there when I started typing otherwise I wouldn't have posted the "nvm, crossposted" afterwards 🙄

@mn - that is really bad to have posted on an open thread her posts and reasons for deletion. That should have been in an email. Disgraceful.

It wouldn't bother me at all to be honest because I've nothing to hide!

I'm also not fussed about being outed 🤷🏼‍♀️ Just doesn't bother me personally at all.

FWIW It’s pretty obvious to me why the reported posts were posted here by Justine - the OP has been on this thread claiming that the reports were malicious. Yes it could have been sent to the OP by email but then everyone else here wouldn’t have known that there was no malicious activity and would have worried about it. I’m not sure you can complain about a lack of info from MNHQ and then also complain when you get it.

You know, I said it before on a thread on site stuff. That the IT is appalling your data management is woeful. You come across as a bunch of amateurs and it’s not good enough.

you don’t take any data breaches seriously enough

how many have there been?

I don’t agree with this. The OP posted on an open forum in the first place. The posts were never private. She has then suggested that she was in some way targeted. Looking at the posts, it’s clear this isn’t the case.

A leak is a leak and needs to be taken seriously, but in this particular case the OP is suggesting it’s more serious than it is by insinuating she has been targeted by people who want to dox her rather than good intentioned users.

The seriousness of the series of internal failures that allowed this to happen is not impacted by cause of the leak (regardless of the cause, the failures should not have happened), but the seriousness of the outcome is. It was not a targeted attack, and that’s important.

I can understand why intelligence assets have a full cover when in the field.

It might bother you if someone tweets that you’re a terrible person and publishes your name, address/workplace and threats of violence (usually rape).
You don’t need to have anything to hide.

Exactly. I appreciate the transparency

This is very naive.

Anyway, the law is clear on data protection and the reasons it matters are widely understood.

@SlatsandFlaps publish your email then? I have witnessed doxxing on a sub and it was unpleasant and harassing. Children’s names were mentioned and I believe were contacted. You clearly have no idea of the type of people who revel in this sort of thing.

The release of OPs email address is not good, at all.

However, I personally never use private email adresses for anything other than work or interraction with official government departments etc. I keep one email address separate and anonymous sounding for places like here and the other with my real name for officialdom. I thought everyone did that?

@JustineMumsnet

We emailed the affected users overnight offering to delete their posts, a retrospective name change or to change their email address. There are around 20 users affected

Can you please clarify how you have validated that list? Are you relying on logs or using logs of all replies to reports? (I'm assuming you have a timestamped audit trail).

It applied only to the emails/usernames of users who had posts reported (not to those doing the reporting). (Their details were included at the bottom of replies to the person who reported the post)

Why have email addresses started appearing at all? Replies in this type of system should keep all contact details blind both to reporter and moderator. That is a design choice which needed implementing and should have been picked up during data/security design. Is this another issues which is on the list to fix as a "glitch" of the upgrade?

We know how the error occurred - we obviously have checks and balances in place to stop this kind of thing happening and in two very clear ways the proper procedures weren't followed in this instance

If human beings can override procedures in two places without a check step them something is fundamentally wrong with the SDLC model. Config changes, particular those which could expose data should be both tested and automated and subject to review before deployment.

What has been put in place to stop procedures being overidden in future? We all remember the joy of the intern.

I'm really sorry this has happened and apologise wholeheartedly to all those who've suffered undue concern as a result

With the greatest respect, this statement is completely at odds with publicly posting the contents of the reports about one of your victims.

This is exactly the reason why I use a number of generic email addresses that don't contain my name for sites like this.

What is the outcome you want? It’s is. A breach and it is personal data but it’s already happened and cannot be changed.
There has been an apology issued, all people affected contacted, an investigation into what happened and hopefully they have been truthful about what further measures will be put in place. They have also confirmed that they’ve reported themselves to the ICO.

I’m not saying what has happened isn’t upsetting but things like this do happen and they happen with more sensitive data as well usually down to human error / not following procedure.

The best thing to do for all concerned is to use it as a learning experience - what measures can we all put in place when signing up to forums / accounts. Whether that is to set up on anonymous email address that does not contain names or choose not to use mumsnet or something else.

It is a bit shitty to post the original comments but I get the thinking behind it. Wrong approach though.

@LazyJayne Well said.

Amazing isn’t it that not everyone does what you do 🙄

The amount of people making light of this just goes to show just how ill informed some people are in this day and age.
Probably the same people who believe Facebook news is real news.

I wouldn't want even one person to know my personal email address without my permission let alone 3 from the vipers nest!

So sorry this has happened OP.

Disagree, shouldn’t have been done without OP’s permission and has exposed her further. Not cool.