Data breaches by Mermaids exposed in the Times

[truthisarevolutionaryact]

Mermaids has apparently put lots of confidential data online including private emails, personal data and emails demonstrating the pressure they have put on the Tavistock.
Andrew Gilligan article - share token:

www.thetimes.co.uk/article/parents-anger-as-child-sex-change-charity-puts-private-emails-online-tl0g5hwcg?shareToken=2f8ddc23419c61360023562a62e74d13

Is it possible they aren't listed & have their identity protected?

I had believed this wasn't possible but have a memory that MESMAC (which is based nearby) had unlisted trustees.

Which would seem a serious issue to me if true.

Theres been a lot of quesions as to why emails were passed on to the trustees. I can think of two reasons.

1. To demonstrate how bad been trans is/ what a big help mermaids is. Nothing like hearing you're wonderful and life changing to quash fears about what you're doing. I may be slightly cynical here. Basically for legitimate purposes to help guide future activities. Obviously this should have been made anonymous and without identifying details. There is a strong argument for just using quotes but seeing a quote in context can be more useful. I imagine this will he the defence used.

2. I don't want to be deleted so I'll let you insert your own reason here.

It seems likely that might be the case with Mermaids too then.

They are listed but anonymous. Blanked out - but you can see that they are there.

Sorry, that was a bit brief. All trustees will be listed, but may have their identity redacted with a black box. So you can see how many even if you can't see their name.

Trustees can have have their identity protected by dispensation if they are accepted as facing danger.
www.gov.uk/guidance/addresses-and-trustee-names-in-your-charitys-public-details

Could they be parents who dont want their children identified? It would make sense.

More sense than Stonewall not publishing the names of some of its trans-advisory committee.

No obvious parents amongst Mermaids committe now as far as I can see. A pity and perhaps reflecting a greater focus on lobbying.

I can't help but think these emails were shared because internally, they don't have any processes of professionalism about the work they do.
If a parent needed their child to be seen by CAMHS, or for them to be able just to talk to CAMHS, let's say, this information would come from a GP and be in a letter, the child and parent would come in for a consultation and the information would be held on computer systems which would send letters out to the GP and parents once decisions were made about therapy or treatment. Currently there aren't the secure systems in place to do this digitally and accessibly for the general public.
Compare this to parents emailing in to Mermaids with identifying information, emailing back more details, these emails being passed around internally and all of it being copied to the Internet?! It's actually incredible even without it being copied to an external site without any privacy settings. Emails are such an insecure way of sending data, they should be treated as postcards and not letters. Mermaids obviously have no way to process how to help people in a professional manner. They give some advice, links to forums, follow us on social media and come away to a weekend. Oh and here is the phone number of Drs Webberley.

Three trustees is okay, I think the minimum the CC recommends. It would ring alarm bells for me though, I'm surprised the Lottery gave them £500k on this basis, indicates something might be seriously wrong.

A friend runs a small charity in memory of their daughter. I doubt the annual turnover is much more than £100k. I've just checked their website. They have six trustees.

"They have a wide variety of backgrounds spanning business, the law and accountancy."

That is a big part of the point of trustees isn't it? The experience they bring to assist the charity?

Three seems vanishingly small for a charity like Mermaids.

What due diligence did the National Lottery do to determine funds would be used well? Other than read some tweets and Pink News items?

Name changed.

I work for one of the organisations implicated in the emails. As of today, we still appear to have an active relationship with Mermaids. I’ve been raising concerns about the relationship since 2017.

It just seems, again, due diligence and critical thought disappears when the magic ‘T’ word is said. I’m currently unsure whether to chalk it up to incompetence in whoever vets external charity relationships, or whether it’s true institutional capture right up to board level.

I'm shocked that anyone's emails can end up in a cache on the internet, tbh. What other companies might do this?

SG is often referred to as an IT professional; it wouldn't surprise me if she simply became complacent about her level of expertise as the IT regulations evolved.

As Trustees are supposed to direct the staff and set direction this is important that There appears to be so few of them.

For any charity, but particularly those with a small staff, a good number of Trustees with appropriate skills and experience will be particularly essential for lots of reasons.

Mermaids seem to have an odd mix of very big grants and very few Trustees. That should not be a hard type of charity to attract new Trustees to join. The rapid turnover of Trustees there is also odd.

In practical terms how would quoracy work with only 3 Trustees? Just takes one of them not to attend a meeting and everyone has to wait for a decision? Doesn’t that make life very difficult?

www.gov.uk/guidance/charity-meetings-making-decisions-and-voting

3. Have a ‘quorum’ – enough people to make a decision
‘A quorum is the minimum number that must attend a meeting so that decisions can be made properly. The people may be trustees at a committee meeting, or members at a general meeting. Your governing document should tell you what your quorum is. If it doesn’t, think about amending it.

If you set your quorum too high, any absences may make it difficult to have a valid meeting. If it’s too low, a small minority of people may be able to impose its views unreasonably.

The commission recommends that the quorum for a trustees’ meeting is a minimum of one third of the total number of charity trustees plus one. So a charity with ten trustees will have a quorum of four.

For general meetings, you should give careful thought to the quorum – it needs to be appropriate to the size of your charity and the number and geographical spread of members.’

Did I read right, Mermaids has changed their statement 3 times? I wonder if that’s down to sheer stupidity, or they deliberately didn’t want to admit personal emails were disclosed in The Times article?

Tuxedo glad you felt you can comment, hope it's safe for you to do so even with a name change. What a ridiculous thing to have to write in 2019.

I've been following this, aghast at it all. It occurs to me that the IT consultant Susie Green may not have been so shit hot at her IT job and thus is another reason why Mermaids must succeed. It's her job, after all.

A friend has written to his MP about this - MP says he's writing to the minister for charities.

I suspect there's a huge lack of due diligence when choosing a charity to partner with, particularly when it's a name that will push you up the Stonewall list of organisations. Demonstrating that you're 'putting something back' is something that a lot of companies pay lip service to.

As for Greens's qualifications to call herself an IT consultant, she was an office manager and then IT manager for a local branch of CAB. She has no qualifications at all except for a Prince2 certificate according to her LinkedIn.

As for Greens's qualifications to call herself an IT consultant, she was an office manager and then IT manager for a local branch of CAB. She has no qualifications at all except for a Prince2 certificate according to her LinkedIn.

About 15 years I worked for a similar org. I was sent on Prince 2 training then seconded to run the IT project they had going at the time. I'm reasonably technologically competent on a personal level but I know fuck all about IT in the wider context. Luckily I had access to people who did know more than me to assist but I would never dream of calling myself an IT consultant.

SG seems to think what she did to her child qualifies her as a world expert in endocrinology, plastic surgery, reproductive health, psychology and goodness knows what else, so it’s hardly surprising that she thinks a very basic certificate in using computers in offices qualifies her as an ‘IT consultant’.

I'm shocked that anyone's emails can end up in a cache on the internet, tbh.

Ive just asked DH about this, cos I don't understand this stuff.

His response was that Google can't find things (to put on its search engine) unless there are links to that forum to somewhere else on the Internet. It doesn't have to be to that sensitive data just to the forum its on (which has to be public not locked down). It also has to be a public link to a site that is indexed by Google.

It suggests that level to which the information was publicly available (through Google) and the lack of any form of security.

He suggests that this information was already being shared on another website before Mermaids deleted their directory and had been shared for a while as Google does not magically index things overnight.

It's not someone archiving it privately. It's a link which someone created and shared publicly.

His concern would be what sharing and linking created the cache.

That's about as much as he can work out, but it's a big deal that there was a cache at all. This was supposed to be a forum that was totally private and to only be accessed by the Trustees and Susie Green from the information we have about the forum.

It either suggests one of those authorised to view the forum shared it (but they all believed it was private so why would they?) Or someone else found it some time ago and shared it. (Which also rules out the Times as they had no reason to share publicly and they also had an understanding of sensitive nature of that information)

The information shared that I know is 'in the wild' was shared after the directory deletion and was from the cache. So it's not that either.

This leaves a mystery as to who it was and suggests this information has been 'wild' for some time at an unknown public source. It suggests an unknown party or parties we do not know about.

Which should only add to the concerns of anyone who has had their data leaked.

RTB

That's an interesting point. It sounds from this groups.io/g/GroupManagersForum/message/48/2990 as if even if they had inadvertently set their archive to public it would not have been visible to search engines unless they had actively listed their group in the directory too. Which would seem an odd thing to do.

His response was that Google can't find things (to put on its search engine) unless there are links to that forum to somewhere else on the Internet. It doesn't have to be to that sensitive data just to the forum its on (which has to be public not locked down). It also has to be a public link to a site that is indexed by Google.

Attachments you think are just sitting on the back end and not visible to the public can sometimes be accessed because on certain website CMS (like Wordpress core) google can crawl the whole site. This happened to me. I was publishing something for work which was embargoed and I hadn't put the page live yet, but someone managed to google search and find the document. Luckily no harm done and no personal data. Won't make that mistake again!

Yep. That's exactly what DH said.

It's only the act of sharing a link which is public which creates a cache.

For me this leaves two possible explanations 'a white knight' or something altogether darker.