Mumsnet reports data breach to ICO after problematic cloud move
Mumsnet admitted data breach fault after a botched upgrade shares its user's data
Mumsnet has reported itself to the Information Commissioner's Office (ICO) after a botched upgrade resulted in users accidentally logging into the accounts of others.
The parental forum believes that the breach was caused when moving its services to the cloud on Tuesday afternoon. The problem ran from 2pm Tuesday to 9am Thursday when the changes were reversed.
The breach concerns logins where for three days users logging into their accounts at the same time as another user could have had their account info switched. A user alerted the company to the breach on Wednesday night saying that they were able to login and view another user's account.
Mumsnet said it is investigating its logs to determine the impact of the breach. Approximately 4,000 users were logged in during the three-day window, but Mumsnet doesn't know how many of those were actually breached. The company has only been made aware of 14 incidents so far and those individuals have been notified of the issue.
According to the site, logging into another user's account allowed them to see email addresses, account details, posting history and personal messages, but not passwords as they are encrypted.
"One must acknowledge that all software is imperfect and when software has bugs, when they're identified in productions systems they need to be patched or rolled back to a known good state quickly, and that's what has reportedly happened here," said Matt Walmsley, EMEA director at Vectra. "It's not clear to what degree pre-rollout testing occurred or if the "move to the cloud" was material in the incident."
No further incidents have been reported suggesting that it was the move to the cloud that caused the issues. Mumsnet founder Justine Roberts posted a blog post to apologise to users and notify them that it will report the breach to the ICO.
"You've every right to expect your Mumsnet account to be secure and private," she said. "We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We will, of course, be reporting this incident to the information commissioner."
Mumsnet is not alone in this regard, as 2018 saw an unprecedented number of companies reporting data breaches, with almost 60,000 reported across Europe since GDPR came into force.
What's interesting about the Mumsnet incident is it's due to a fault during an upgrade to cloud services, highlighting the dangers of rushing digital transformations. To the company's credit, it acted swiftly and took steps to shut down the problem, notify its users and involving the regulator.