Data breaches by Mermaids exposed in the Times

[truthisarevolutionaryact]

Mermaids has apparently put lots of confidential data online including private emails, personal data and emails demonstrating the pressure they have put on the Tavistock.
Andrew Gilligan article - share token:

www.thetimes.co.uk/article/parents-anger-as-child-sex-change-charity-puts-private-emails-online-tl0g5hwcg?shareToken=2f8ddc23419c61360023562a62e74d13

This is just horrific. The breach of confidentiality, the breadth of their influence ... it’s awful.

Just another voice saying to not post anything that would breach anyone’s medical privacy or identify any child or family.

I hope the times have all of it archived, and I hope they expose the entire web of corporate influence and lies (while keeping children’s data private.)

They were TOLD it was available by someone with integrity, had the chance to fix it and STILL couldn’t, or didn’t. Or didn’t care to.

Much as I hate to say it, that isn't something Mermaids could have done. They have presumably fixed the original leak, but all that data is out now in various locations and there is no way to magically recall it.

Agree ItsAllGoingToBeFine. Now the information is out you can't undo it. That's why this breech is bad.

This is a charity with a high profile and inability to govern itself properly. It's grown beyond its means and has sort to do this at a speed which it has deliberately sought without regard to its basic duty of care to those it was already serving. That's definitely a trustee issue. This is without considering the controversial nature of its work, which those running the charity absolutely should have considered.

What if some very genuinely transphobic individual or group got hold of that information with the intent of harming those children or their families? This is where vigilantism should be considered.

This, considering where the data is being shared, is now a very real concern.

What information is in those emails seems to contain a fair amount which is in the public interest for us to know and is stuff that I would love to discuss in terms of transparency, accountability, conflicts of interest, legal questions, manipulation of data for propaganda purposes and the political and commercial aims of the charity coming before those of the children concerned and it seems potentially at their expense due to their inability to give informed consent without duress to any of the things done in their name, on their behalf or to actually to them.

However, its mixed up with such personal information it makes me deeply uncomfortable as there isn't a public interest argument about a large amount of what has been leaked. And this exposes vulnerable people to all sorts of risks (not just transphobic abuse but also other Internet related crime).

I also think there is a certain degree of a problem in reporting anything in the emails, due to the nature of their source.

I think it's likely its been looked through at length but only certain things picked up - I note most of what was in the press related to a previous article and Mermaids response, so is possibly easier to argue the public interest case over. The rest perhaps will form background to future questions about the conduct of this charity and other organisations which can be researched from others sources, rather than be reported direct from this leak.

This is where I feel much more comfortable with journalists on a professional level who take an ethical and legal approach, rather than 'citizen journalism'. This is information which was not in the public domain with the consent or by the hand of those involved. 'Citizen journalists' and MNetters perhaps need to be careful over where they stand legally in these circumstances discussing what's in that data leak. I suspect there may well be legal questions over retention and storage of information you know to have been part of a data leak which has been reported to the ICO.

I don't know.

It's in someways a very frustrating situation, and I think a certain degree of caution needs to be exercised by anyone who says more than is in the Sunday Times article, for your own sake.

The argument on MN has always been very much about safeguarding of children, so this certainly needs to be reflected on too. The wider interest might be relevant, but at the expense of vulnerable children who have already been caught up in this horror show. A public interest argument isn't particularly strong if you place those you seek to help at risk because of your actions even if the intention is to help them in the longer term, unless you have the legal knowledge, professional experience or some kind of legal status to do so. Its one for professionals who know what they are doing, rather than anyone just well meaning and concerned as far as I'm concerned. It's a situation where more harm could be caused intentionally or unwittingly.

The Sunday Times has done the whistle low on this, and there are clearly follow up leads from this, which Mermaids aren't going to be able to avoid in the long term. I doubt it's just going to get left at what's been reported so far. Mermaids response really is the thing to keep a close eye on.

Yes, I think that's the right thing to do.

Much as I hate to say it, that isn't something Mermaids could have done. They have presumably fixed the original leak, but all that data is out now in various locations and there is no way to magically recall it.

But people didn’t start archiving it until it became widely known it was available via the article surely? Were people archiving it beforehand? In that case, fair enough, but the Times told them, gave them a chance to fix it, then publish the story, and stuff was still available via the same search terms. Couldn’t that have been prevented, or am I missing something?

Mermaids could have asked Google to remove it completely if there was a reason, legally or morally to do so. I suggest it was possible to remove it so that it wasn’t available to archive.

But people didn’t start archiving it until it became widely known it was available via the article surely? Were people archiving it beforehand?

Probably yes. It was something you could easily innocently stumble across.

stuff was still available via the same search terms. Couldn’t that have been prevented

It could have if Mermaids had been competent in the first place. The problem is once information is available openly on the internet every search engine will see the data and list it, and cache it.

But people didn’t start archiving it until it became widely known it was available via the article surely? Were people archiving it beforehand? In that case, fair enough, but the Times told them, gave them a chance to fix it, then publish the story, and stuff was still available via the same search terms. Couldn’t that have been prevented, or am I missing something?

The question here comes down to when the times told Mermaids to a certain degree and whether they gave 'sufficient time between this point and publication to resolve the matter'. I'm sure this will become a point of contention on social media... But the bottom line is that it a) should never have happened and Mermaids have legal responsibility for that information b) no one can tell who accessed that information and stored it and when because of how long it's been public before the times reported it.

They had time to delete the cached pages between the time that the Sunday Times told them and the story breaking. They didn't, they just deleted the directory. They should have taken advice from an independent IT consultant that understands security breaches. They didn't.

They are still failing to realise the severity of this

They are still failing to realise the severity of this

They know but they don't care, this archive was basically set up so trustees could read intimate details about these children.

I explained my earlier posing up thread.

This is awful for the children and families involved. Really awful.

However good will come of it if:

1. It causes people, including families and schools, to look more closely at Mermaids. Is this a professional organisation? Where does its expertise lie? Can it be trusted to put safeguarding at the centre of its operations?

I flicked briefly through Mermaids twitter and noticed that the early comments on their statements seemed to be from the anime mob rather from people who sounded like Mermaids families.

1. It causes outside regulatory organisations and sponsors to review relationships. This is a charity that advocates medicalising children. I hope the Sunday Times will use their unique insight to unpick what went wrong. Why was there a rapid change of approach? Why was this rapid change of approach so eagerly supported by funders, Stonewall, TV programme makers etc? Why were medics ignored? What lessons might be learned?

What has happened is awful, but hopefully it will be the big bang that blows all this suicide hocus-pocus and pink brain jelly baby stuff right up. So that dysphoric children are treated sensitively but conservatively so they preserve their open futures.

Susie Green needs to resign. And any trustees implicated should stand down. They cannot minimise this. It is shocking.

They had time to delete the cached pages between the time that the Sunday Times told them and the story breaking. They didn't, they just deleted the directory. They should have taken advice from an independent IT consultant that understands security breaches. They didn't.

facepalm

There is a reason internet security experts charge a lot.

I flicked briefly through Mermaids twitter and noticed that the early comments on their statements seemed to be from the anime mob rather from people who sounded like Mermaids families.

Yes, those defending Mermaids over this appear to be adults with a vested self interest rather than putting the interests of those directly affected first.

That was my thinking OrchidInTheSun. There may have been nothing they could do if people already had copies. But they absolutely should have engaged a competent IT specialist to remove anything that could easily be found by all and sundry. The information has spread much further than it should have done if they had acted with due diligence as soon as the breach was reported.

I don’t think anyone posted anything here that identified any individuals, or any links or anything - some posts obliquely referenced where we had seen the data, which isn’t hard to find at all, and I speak as a non-techie frequently flummoxed by the interweb in general.

JessicaWakefield has included the relevant point from my post - that there are multiple emails from an EHRC solicitor apparently copying SG into email conversations she was having with trans youth/parents. SG then shared these with trustees (and the world). Emails contain names, addresses, workplace of parent, name of school etc. I feel there are questions about the appropriateness of the EHRC solicitor doing this as well as the SG/Mermaids end of the affair.

And to reiterate - this info is still freely available, online, now. This minute, just checked. Perhaps Mermaids should get an IT consultant to help them sort.....Oh.

Just to be clear, Mermaids reported the breach to the ICO on Friday. The story was published at 12.01 Sunday morning.

So they knew on Thursday/ Friday morning at a push.

Plenty of time then.

From an hour ago

ICO @ iconews
Hello, the ICO has received a data breach report from Mermaids UK and we will assess the information provided. Many thanks.

I'm glad they actually reported themselves, I was a little worried that they wouldn't

They didn't have a choice.

The Times were going to publish.

If having been informed of the breech they then failed to report themselves that would considered another breech in and of itself.

They would have known from Thursday I reckon as that's usually when the Sundays plan their stories .

Question- do Mermaids own the platform they used for sharing this info? If not they're going to find the clean up process a little difficult...

So, as of right now have they still put got an expert to sort it out yet? You can still find it? For fucks sake.

Mermaids do not understand Safeguarding.

Its not even about the data breach.
No CEO of a charity who is supporting children, vulnerable adults & their families would be sharing personal identifying emails with trustees from those they were supporting

Trustees who understand Safeguarding would also be mindful of this as there is an important balance between enabling Trustees to scrutinise & supervise the work by paid staff /volunteers and protecting service users.

There are established ethics with regards Confidentiality. These are part of Safeguarding frameworks.

Mermaids Charity do not understand or respect Safeguarding or Child Protection frameworks. Each failure & inappropriate response is indicative of this.

Hello, the ICO has received a data breach report from Mermaids UK and we will assess the information provided. Many thanks.

It needs to go to Children's Commissioner etc
This is a gross Safeguarding failure.