Mumsnet is a service for parents by parents. This is used as
a forum for parents to post their thoughts, ideas, questions, etc. and for
others to respond. Parents, who may question or are encountering issues they
haven’t experienced before, have the opportunity to talk to others who have
worked through the specific issue.
Mumsnet reported there was an issue with their attempt to migrate
to the service to the cloud. This was reported to the Information Commissioner
Office (ICO), as private, confidential information was involved for GDPR
residents. The issue was other non-authorized persons were able to log into the
other user’s accounts without any authorization. In particular, there is a
forum where persons are able to post comments on various topics. The
company upgraded its software which the forum is run on. For three days
(Tuesday afternoon 2pm GMT to Thursday morning 9am GMT), if two users attempted
to log in at the same time, the two accounts could be switched. The user could
post a message as the other user, view the other’s account details, and read
their private messages. On a positive note, they were not able to see the other’s
passwords, as these are encrypted.
Mumsnet was not aware of how many user’s accounts had been
affected by this. During the time where the issue was presented, an estimated
4k users logged in. As the user’s had to attempt to log in during this period,
the entire 4k would not have been affected. There were however at least 14
incidences. The business is reviewing the logs. With the potential GDPR fines,
this could be a significant issue.
This represents an opportunity to learn. When there is a significant
upgrade, there should be testing done to ensure there aren’t issues, along with
running duplicate systems if the need presents itself so that this issue does
not occur elsewhere.
Resources
Cyware. (2019, February 7). Mumsnet reports itself to regulators
over data breach. Retrieved from https://cyware.com/news/mumsnet-reports-itself-to-regulator-over-data-breach
Dissent. (2019, February 10). Mumsnet reports itself to
regulator over data breach. Retrieved from https://www.databreaches.net/mumsnet-reports-itself-to-regulator-over-data-breach/
Hellard, B. (2019, February). Mumsnet reports data breach to
ICO after problematic cloud move. Retrieved from https://www.itpro.co.uk/information-commissioner/32943/mumsnet-reports-data-breach-to-ico-after-problematic-cloud-move
Hern, A. (2019, February 7). Mumsnet reports itself to
regulator over data breach. Retrieved from https://www.theguardian.com/uk-news-2019/feb-07/mumsnet-reports-itself-to-regulator-over-data-breach
Hunter, D. (2019, February 8). Mumsnet reports data breach
to the ICO. Retrieved from https://dgpr.report/news/2019/02/08/mumsnet-reports-dta-breach-to-the-ico/
Kunert, P. (2019, February 7). Mumsnet data leak: Mooning
parents could see other user’s privates after cloud migration. Retrieved from https://www.theregister.co.uk/2019/02/07/mumsnet-breach/
No comments:
Post a Comment