Mumsnet Data Leak Baffled Parents As Cloud Migration Exposed Users’ Personal Data

Another day, another breach. This time, the incident has troubled thousands of parents as it affected parenting forum Mumsnet. Reportedly, a cloud migration activity accidentally resulted in Mumsnet data leak, leaving the personal details of the users exposed.

Mumsnet Data Leak Exposed Private Information

This Thursday, the British parenting website Mumsnet disclosed in their official notice of a glitch that bewildered many users. Reporting about the Mumsnet data leak, they confirmed that a site glitch left personal details of the users exposed online.

“There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.”

As explained the problem arose as they moved their services to the cloud. Consequently, due to the software change, users could view the details of others after signing-in. The exposed details precisely include email addresses, account details, personal messages and posting history.

Soon after a Mumsnet user alerted them about the problem, they reversed the change. They now confirm that they received no further reports in this regard after the change.

How Did This Happen?

For now, Mumsnet hasn’t revealed many technical details as they continue with their investigations. Nonetheless, according to Steve Armstrong, Regional Director, UK & Ireland, Bitglass,

“Indications are that this issue was fixed with a rollback.  This likely suggests an underlying database configuration issue.  It’s very unlikely to be a caching issue browser side – so this suggests a server-based issued.  This, in turn, would speak to a misconfiguration either in the database platform or potentially, on the infrastructure the database was hosted.  There are generally security models built into most platforms, but they only solve part of the problem – security in depth is always a better approach.”

Whereas, Naaman Hart, Managed Services Solutions Engineer, Digital Guardian, said the incident may have occurred due to a mix-up of steps in the login process.

“It’s really pure speculation as to this incident happened, but it would likely have been caused by a mix up in the intermediary steps of the login process.  Typically when logging in you validate yourself and you’re given an identity.  That identity has access to your data.  In a case where this process has a problem, it’s possible that the identity you’re given is someone else’s.  This can happen if the service already has an answer in mind, cached/remembered, and it serves up that answer instead of doing the legwork to find the real answer.”

Was Cloud Migration Behind Mumsnet Data Leak?

Mumsnet put the issue down to a data leak during cloud migration. Does it indicate any problems with the cloud migration procedure?  Naaman Hart did not agree with the link being developed by Mumsnet between cloud migration and the data leak.

“Moving to the cloud has nothing to do with this failure. It simply highlights that the company is going through a large IT project where complications can arise.  That said, security is different in the cloud but typically it’s purely misconfiguration that leads to problems.  There is also a lack of rigor applied to validation processes to ensure that companies truly know where their data is stored once in the cloud and how much control they actually have over it.”

Companies Should Perform Cloud Migrations Carefully

According to Steve Armstrong, organizations should perform cloud migration with meticulousness. What’s better in such situations is to first make sure having technology controls.

“Moving to the cloud poses some new challenges to any organization – being able to securely configure platforms requires a robust set of controls and processes to be in place.  Outside of the human factor or testing before a release, it is important to have the appropriate technology controls in place.  These controls should help reduce risk whilst enabling the business.  When moving to the cloud it is important to first assess the risks and map those to the required controls.”

Explaining his point further, he said,

“If there’s a gap in control versus risk an organization typically has two approaches.  The first approach is to update its risk register and accept there is some form of risk.  Second, they can implement the controls through the use of technology designed to secure and monitor these environments.  In the main these organizations have a risk versus reward balance to maintain – controls should be sufficient enough to mitigate the risk whilst not hindering business agility.  The challenge of securing the cloud is ever-changing; the pace at which platforms, service, and infrastructure in the cloud changes makes risk a moving target that can be hard to 100% mitigate.”

Hart also emphasized on learning the details of new technologies, such as clouds, to avoid any problem later.

“The best practices are to learn the benefits and pitfalls of moving to the cloud.  Companies will likely gain some native security benefits from moving to newer technologies but they also gain the headache of learning the intricacies of these platforms.  If they don’t learn how to work well with them then they can find themselves making small misconfigurations that lead to big problems.”

Data Leaks And Breaches Becoming Common

Mumsnet data leak simply adds to the list of data breaches happening routinely nowadays. According to Stephen Gailey, Solutions Architect at Exabeam,

“The Mumsnet breach is not that shocking, at least to me.  It is not the activity of malicious hackers trying to steal data; instead, it seems to be the result of poor programming – again. And this particular problem is also nothing new.  Banks and other online organizations have been experiencing just this problem for at almost two decades now; I think the first report of synchronous logins revealing the other users’ data that I can recall was in the early 2000s.  What this underlines is that the root cause of most security breaches, whether they are malicious or accidental as in this case, tends to be poor software development processes or poor operational processes.”

Hart said data stored over cloud services is always at the risk of breach due to its resilient features. Thus, the companies should ensure adequate data security before such migrations.

“Every cloud service that interacts with that data is a potential for a leak and companies need to ensure they’re very well versed in who touches what and where it moves. A prime example comes from the very design of cloud-hosted systems.  By their very nature they are meant to be resilient.  Resilient means they have copies of everything in case of failure.  These copies can extend to your data and you can very easily find that your data exists in many places you didn’t think it did.  Data sovereignty, therefore, needs to be taken seriously.”

Adopting Security Measures At The Organizational Level

Stephen Gailey emphasized on the importance of adopting security measures for internal infrastructure of an organization. He also urged on the quality of staff hired to avoid security breaches.

“Organisations tend to look outwards to understand the threats they face, but perhaps they should look inwards at how they build and run Internet-facing systems.  The new rush to digitization is likely to fill our press with reports like this one.  The truth of the matter is the same as it has always been, the limiting factor for any organization is the quality of the people it can hire and retain.”

The recent Mumsnet data leak isn’t the first cybersecurity incident with the firm. In 2014, the company suffered a massive cyber attack due to Heartbleed vulnerability. In fact, that incident had had an even bigger impact as it affected 1.5 million users.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients