Mensa data breach due to ‘unauthorised internal download’

Exclusive Eggheads at high IQ society Mensa have ruled out claims that their website was hacked earlier this year, according to an email seen by The Register.

The society instead suggested that the data breach – which is still under investigation by police – may be an inside job.

A number of cyberattacks in January and February left security folk scratching their heads as they tried to figure out the problem that exposed some members’ personal details and led to a website snafu.

In response, Mensa launched a series of investigations by its IT contractors, which showed there was “no external breach”. This was followed up by a wholesale review of systems security and procedures.

Keeping its members up-to-date about events, Chris Leek, Chairman of British Mensa, said in an email posted last Friday and seen by us:

A spokesperson for Mensa declined to elaborate or comment further while the matter was under active police investigation.

Although their systems were given a clean bill of health, Mensa reports it has implemented a series of changes to beef up security, such as forcing all users to reset passwords and urging people to make them trickier to break.

Apologising for any inconvenience or anxiety caused by the incident, Leek added: “I can reassure members that our systems are secure and additional measures have been put in place to ‘future proof’ them. I would also like to reiterate that we do not keep credit card or payment details on the database.”

Late in January, two board members at British Mensa, Eugene Hopkinson and Emily Shovlar, told the FT they had quit due to their concern over cybersecurity practices at the outfit.

Hopkinson, who until he resigned was the UK arm’s technology officer, alleged at the time that member passwords were not hashed. Another member claimed to the paper that their password had been emailed to them in plain text.

A spokesperson for Mensa retorted at the time that passwords “were encrypted; were never sent out or stored as plain text; [and] that additional work on hashing passwords was ‘being completed’.”

No one from West Midlands Police or the ICO was available for comment to the Reg at the time of writing. ®

Source link

Related Articles

Back to top button