Mensa data spillage was due to 'unauthorised internal download'

Book smarts vs street smarts face-off might have been an inside job, claims egghead chief

Exclusive Eggheads at high IQ society Mensa have ruled out claims that their website was hacked earlier this year, according to an email seen by The Register.

The society instead suggested that the personal data leakage – which is still under investigation by police – may be an inside job.

A number of cyberattacks in January and February left security folk scratching their heads as they tried to figure out the problem that exposed some members' personal details and led to a website snafu.

In response, Mensa launched a series of investigations by its IT contractors, which showed there was “no external breach”. This was followed up by a wholesale review of systems security and procedures.

Keeping its members up-to-date about events, Chris Leek, Chairman of British Mensa, said in an email posted last Friday and seen by us:

Reports at the time appeared to be designed to discredit Mensa by suggesting that we had been ‘hacked’ i.e. there had been a breach of data through our website. [I] am pleased to report that our systems were found to be robust and at no immediate risk of a breach from external sources.

However, I can now also confirm that during initial investigations by our IT contractors, it was discovered that an unauthorised internal download of the database had taken place. The police are continuing to investigate that incident.

A spokesperson for Mensa declined to elaborate or comment further while the matter was under active police investigation. It had notified the Information Commissioner’s Office, Action Fraud and West Midlands Police following the incident.

Although their systems were given a clean bill of health, Mensa reports it has implemented a series of changes to beef up security, such as forcing all users to reset passwords and urging people to make them trickier to break.

Apologising for any inconvenience or anxiety caused by the incident, Leek added: “I can reassure members that our systems are secure and additional measures have been put in place to ‘future proof’ them. I would also like to reiterate that we do not keep credit card or payment details on the database.”

Late in January, two board members at British Mensa, Eugene Hopkinson and Emily Shovlar, told the FT they had quit due to their concern over cybersecurity practices at the outfit.

Hopkinson, who until he resigned was the UK arm's technology officer, alleged at the time that member passwords were not hashed. Another member claimed to the paper that their password had been emailed to them in plain text.

A spokesperson for Mensa retorted at the time that passwords "were encrypted; were never sent out or stored as plain text; [and] that additional work on hashing passwords was 'being completed'."

No one from West Midlands Police or the ICO was available for comment to The Reg at the time of writing. ®

Similar topics

Other stories you might like

Biting the hand that feeds IT © 1998–2021