Mumsnet reports data breach to ICO after problematic cloud move

Mumsnet admitted data breach fault after a botched upgrade shares its user's data

Mumsnet founder Justine Roberts

Mumsnet has reported itself to the Information Commissioner's Office (ICO) after a botched upgrade resulted in users accidentally logging into the accounts of others.

The parental forum believes that the breach was caused when moving its services to the cloud on Tuesday afternoon. The problem ran from 2pm Tuesday to 9am Thursday when the changes were reversed.

The breach concerns logins where for three days users logging into their accounts at the same time as another user could have had their account info switched. A user alerted the company to the breach on Wednesday night saying that they were able to login and view another user's account.

Advertisement - Article continues below

Mumsnet said it is investigating its logs to determine the impact of the breach. Approximately 4,000 users were logged in during the three-day window, but Mumsnet doesn't know how many of those were actually breached. The company has only been made aware of 14 incidents so far and those individuals have been notified of the issue.

According to the site, logging into another user's account allowed them to see email addresses, account details, posting history and personal messages, but not passwords as they are encrypted.

"One must acknowledge that all software is imperfect and when software has bugs, when they're identified in productions systems they need to be patched or rolled back to a known good state quickly, and that's what has reportedly happened here," said Matt Walmsley, EMEA director at Vectra. "It's not clear to what degree pre-rollout testing occurred or if the "move to the cloud" was material in the incident."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

No further incidents have been reported suggesting that it was the move to the cloud that caused the issues. Mumsnet founder Justine Roberts posted a blog post to apologise to users and notify them that it will report the breach to the ICO.

"You've every right to expect your Mumsnet account to be secure and private," she said. "We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We will, of course, be reporting this incident to the information commissioner."

Mumsnet is not alone in this regard, as 2018 saw an unprecedented number of companies reporting data breaches, with almost 60,000 reported across Europe since GDPR came into force.

What's interesting about the Mumsnet incident is it's due to a fault during an upgrade to cloud services, highlighting the dangers of rushing digital transformations. To the company's credit, it acted swiftly and took steps to shut down the problem, notify its users and involving the regulator.

Advertisement

Most Popular

Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft’s patent design reveals a mobile device with a third screen

6 Apr 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020