The aftermath of the intern data leak?

[stealthsquirrelnutkin]

Has anything has been done to tighten security in compliance with law after the incident in April when the paid intern doxxed the women of FWR and drove so many Feminists off the site?

www.theguardian.com/media/2018/apr/19/mumsnet-reports-itself-data-regulator-transgender-rights-row-ip-addresses-posted-twitter

Words have no set meaning these days. Haven't you heard?. 🤪🤪🤪

I think it's a case of 'sorry, not sorry'.

Hi all,

Just wanted to let you know we have seen this thread and will be back with any new info we have. We just want to check in with some senior members of the team first. Hope you won’t mind bearing with us.

sure Lily, thanks for the reply

I would like to know too.

Thanks Lily.

I think the worrying part of the episode was the implied threat/promise of "more to come". Sure, after the initial release and backlash from that, the 'more' was not released publicly, but how do we really know personal information was not quietly passed on to 'interested parties'?

Thanks Lily.

Place marking

Wait...Lily 🤔🤔

Ahh, well spotted @Gooseflesh and good point!

🤔 indeed!

No news?

Place marking.

It’s been 2 days since Lily popped in. How long does it take? I re-joined after a long absence, after this situation which I only just heard about. But I don’t feel reassured about the safety of our data on hearing this and I’m not sure why MNHQ is taking so long to reply to you all. This was a serious incident that the woman seems to have just gotten away with? Wow. You get worse punishment for misgendering 😐

pennydrew

Correct.

Hi everyone and thanks for your questions - we're very happy to update you on the changes we made.

As soon as we became aware of the data breach we removed IP addresses from the admin view of the site. They're now only visible to a restricted number of vetted moderation staff who need to access users' registration data and IP addresses to reduce troll activity, and to a small number of senior team members. We monitor all permissions and regularly review them.

We also looked very carefully at our entire approach to data in response to this incident, and as part of our preparations for GDPR. We put in place a number of measures to make sure that we go above and beyond what's required to keep your data safe - and if you're at all concerned, we've made it very easy to find out which personally identifying information you've given us, and to change or delete some or all of that data. You can find out about that over here.

Just to reassure you again, it's extremely unlikely that anyone could be identified by an IP address alone, and no-one was 'doxxed' as a result of this breach. As Justine said at the time, we're as sure as we possibly can be that the tweeting of three posters' IP addresses was genuinely unintentional, and that the aim was to draw attention to the content of the posts, not to reveal identifiers.

We did make the police aware, just as a precautionary measure; we haven't had any further communication from them so we believe they were satisfied that the IP addresses had been revealed inadvertently. As someone has mentioned we also reported ourselves to the ICO, and they were satisfied that we'd responded effectively to the incident and closed the case.

Hope that's clear - please do shout if you have any further queries.

From what I understand, she bragged about doing it and having people ‘on the inside’?

That’s not inadvertent. That’s deliberate. But ok, upshot is she got away with it 💁🏽‍♀️

Thanks, Michael. I have a couple of further questions:

As soon as we became aware of the data breach we removed IP addresses from the admin view of the site. They're now only visible to a restricted number of vetted moderation staff who need to access users' registration data and IP addresses to reduce troll activity, and to a small number of senior team members.

Firstly, if they're not actively dealing with troll activity, then for what purpose do the senior team members need to view IP addresses? What, in practice, is this information being used for? Secondly, are the IP addresses constantly viewable, or does it need to be accessed separately, i.e. by clicking on a link to the user's profile, which might be key-logged.

Finally, what level of access do staff have to private messages, including deleted messages, and are attempts to access these logged in any way?

Thank you.

Thanks for the reply Michael, and it's good to hear that you've made steps to protect potentially sensitive information

I think for me however there's another question which is to do with the tone that is tolerated in MNHQ

Here's a tweet by the woman in question where she refers to users of this site as transphobic scum, and says she has friends who still work here. While I understand and am completely happy with the idea that employees are entitled to hold their own opinions, I think I'd like some sort of reassurance that

• expressing this sort of attitude towards users of the site is completely unacceptable within MNHQ
• the 'friends of Emma' who still work at MNHQ understand that they should be applying modding in an evenhanded and fair way, without allowing their personal political or religious beliefs to affect decision making

I have seen some very uneven modding on this board, and wonder if this attitude toward users of the site is still in place among some at MNHQ?

But she went on social media and and confessed - even hinted that there was more to come?

what level of access do staff have to private messages, including deleted messages, and are attempts to access these logged in any way?

I would very much appreciate an answer to this @MNHQ

I'm not satisfied. I think Emma needs to be prosecuted in some way. Can you imagine if one of us had doxxed her?

Perhaps we should report her to Yorkshire police for hate crime.

@MNHQ

I would also like to hear that perhaps all her computers and devices at home were checked and there was a thorough investigation.

Even if she 'inadvertently' found herself stealing data, putting in online, insulting us('transphobic scum') and making further threats about 'insiders' I believe it should be seen that her actions have been scrutinised in a way that will act as a deterrent so that no-one else will join Mumsnet with intentions of doxxing us.

Companies can and should take sensible precautions to make data theft very difficult.

However it is impossible to lock data down enough to make it impossible because you need some appropriate access to enable people to do their jobs

therefore the other thing companies need in place are strong deterrents so that employees understand that the consequences of data theft make it not worth it

So while I've no desire to see Emma Healey prosecuted out of revenge, I would like to be clear that she suffered serious consequences for her actions, because that is part of keeping the data of site users safe in future

I understand for example that she still lists MN on her linked in profile - this does not really indicate that she understands that she left under a cloud

It’s not about revenge, it’s about appropriate punishment under the law. Which MN aren’t actually responsible for.

I’m interested in why the police didn’t persue this legally.