Mumsnet reports data breach to ICO after problematic cloud move

Mumsnet admitted data breach fault after a botched upgrade shares its user's data

Mumsnet founder Justine Roberts

Mumsnet has reported itself to the Information Commissioner's Office (ICO) after a botched upgrade resulted in users accidentally logging into the accounts of others.

The parental forum believes that the breach was caused when moving its services to the cloud on Tuesday afternoon. The problem ran from 2pm Tuesday to 9am Thursday when the changes were reversed.

The breach concerns logins where for three days users logging into their accounts at the same time as another user could have had their account info switched. A user alerted the company to the breach on Wednesday night saying that they were able to login and view another user's account.

Mumsnet said it is investigating its logs to determine the impact of the breach. Approximately 4,000 users were logged in during the three-day window, but Mumsnet doesn't know how many of those were actually breached. The company has only been made aware of 14 incidents so far and those individuals have been notified of the issue.

According to the site, logging into another user's account allowed them to see email addresses, account details, posting history and personal messages, but not passwords as they are encrypted.

"One must acknowledge that all software is imperfect and when software has bugs, when they're identified in productions systems they need to be patched or rolled back to a known good state quickly, and that's what has reportedly happened here," said Matt Walmsley, EMEA director at Vectra. "It's not clear to what degree pre-rollout testing occurred or if the "move to the cloud" was material in the incident."

No further incidents have been reported suggesting that it was the move to the cloud that caused the issues. Mumsnet founder Justine Roberts posted a blog post to apologise to users and notify them that it will report the breach to the ICO.

"You've every right to expect your Mumsnet account to be secure and private," she said. "We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We will, of course, be reporting this incident to the information commissioner."

Mumsnet is not alone in this regard, as 2018 saw an unprecedented number of companies reporting data breaches, with almost 60,000 reported across Europe since GDPR came into force.

What's interesting about the Mumsnet incident is it's due to a fault during an upgrade to cloud services, highlighting the dangers of rushing digital transformations. To the company's credit, it acted swiftly and took steps to shut down the problem, notify its users and involving the regulator.

Featured Resources

Five lessons learned from the pivot to a distributed workforce

Delivering continuity and scale with a remote work strategy

Download now

Connected experiences in a digital transformation

Enable businesses to meet the demands of the future

Download now

Simplify to secure

Reduce complexity by integrating your security ecosystem

Download now

Enhance the safety and security of your people, assets and operations

Enable a true vision of security with an engineered solution based on hyperconverged and storage platforms

Download now

Most Popular

Google Pixel 4a review: A picture-perfect package
Google Android

Google Pixel 4a review: A picture-perfect package

18 Sep 2020
Accenture ploughs $3 billion into cloud migration support group
digital transformation

Accenture ploughs $3 billion into cloud migration support group

17 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020