Perhaps as many as 4,000 users affected
Howard Freeman – 4th March 2019
Parenting website Mumsnet has revealed that a data breach occurred during a software update. This happened between 5th and 7th February, 2019. A technical problem caused users who logged on, to be directed to someone else’s account.
Site founder, Justine Roberts, stated that up to 4,000 users were logged in whilst the breach was occurring. However, only fourteen users have said they were affected by the breach.
The type of information revealed was:
- Email address
- Account details
- Posting history
- Personal messages
However, Roberts confirmed that passwords weren’t revealed. The Passwords were encrypted and not listed on users’ accounts.
Patching and pre-release testing
Therefore, it is critical, as soon as they are released, that patches are applied to prevent exploitation of vulnerabilities. The patches contain fixes to known problems, which must be applied to prevent malicious exploitation
However, Mumsnet has learnt this, the hard way that patching alone will not suffice. The NHS also learnt this in 2017 with unpatched Windows XP machines. They were exploited by WannaCry and cost the NHS £92 million.
As soon as patching is complete, businesses must carry out a vulnerability scan. This is to ensure the patch hasn’t created any further problems or further vulnerabilities.
To achieve this, businesses can use a variety of tools to conduct vulnerability scans, but they all work in a similar way. A series of tests are undertaken, which are designed to identify system settings that contain known vulnerabilities. A completed scan will provide a summary of alerts for the business to act upon.
Mumsnet isn’t the only organisation seeing vulnerabilities introduced in software updates cause problems. It’s an often-made mistake that can have serious security implications. Testing in a sandbox prior to general release will help prevent such problems.