Can Boards please confirm if there was a data breach in users email addresses being publicly exposed on the website? I have seen a post where a user has mentioned that they were able to see another users email address on their profile.
Well I don't call the shots in work, that's up to management, so I'm assuming it's the same here for part-time staff.
At time of writing, the compromised accounts are still showing in Google with the same search terms as before. Bear in mind this is in a window where I am not signed in to Boards AND this profile is now set to private. Just goes to show that the internet really is forever. Vanilla need to get rinsed over this. Proof attached…
Shield, I'm freaking out here now!
I set mine to private yesterday but could you check mine to make sure its definitely not visible through Google.
You’re ok.
Thanks a million, Sheild.
I set up my account years ago not thinking I'd ever have to worry about my email being exposed.
Mind having a look at mine please, Shield?
I requested my account and data be wiped exactly a week ago but it takes 30 days. Hopefully this will expedite the process.
You’re also ok. Sorry I can’t do any more here folks. Don’t have the time.
I say this a former DPO and someone who drafted and designed GDPR implementation for a large Telco.
What an absolutely monumental fúck up.
I can't wait to see the method behind this one being Vanilla's fault.
Thanks a million
Can you tell us how to do the search please so we can check for ourselves? Is it a special search?
What are the repercussions for Boards as a result of this?
You know what else is messed up, closed accounts now have their posts all perfectly indexed and viewable. This wasn't the case on the old site, you couldn't browse through closed accounts posts.
I don't enjoy berating boards stuff but they have to call a spade a spade sooner rather than later, this whole process and result has been a disaster. The site will die unless they do something drastic, the email leak is another cherry on top.
I'd say a big fine from Data Protection Commissioner, so the money that they thought they would save with Vanilla will be null and void.
This is the email you get when you request your account and data to be deleted
Make of it what ye will
Search google with this (obviously replace my 28064212 with your username):
28064212 site:boards.ie inurl:profile
That was always the case though once they realised they didn't have to delete your posts to be compliant with data protection.
The only issue I can see is if someone has requested their posts be anonymised and they still show up under their original username.
That's how it worked on old boards too I'm pretty sure.
Not quite - since Boards have decided not to make closed accounts private, you can do a search for closed accounts, and then see threads which the account had posted in. If you open a thread, and if the closed account was quoted, you can see the original username.
I tried this with a closed account that had their posts anonymised. It brought me to their profile page, the username was scrambled but all their posts were there.
It seems the truth is out there ...
Thank you.
Not for a first offence. They'll be told to mend it and not let it happen again.
I don't think this has been tested. According to GDRP you have a right to have data (including social media and forum posts) deleted but then some internet legal guy said there was a loophole whereby they don't have to be deleted because it would ruin the site so now everyone references him.
more info: https://law.stackexchange.com/questions/32361/does-a-user-have-the-right-to-request-their-forum-posts-deleted
You could be right, and if you are I suspect that'll be the death knell of Boards.
The fact that you can search a closed anonymised account and find all their posts under a scrambled username defeats the purpose of anonymising the name.
I wonder if anonymous posts in Personal Issues can be found in a poster's comments?
Not quite - you can see, from where a closed account had been quoted, what their original username was.
Also, closed accounts aren't made private, you can actually tailor a google search to return lists of closed accounts.
What a mess!
This was raised on 25th July. How have you just become aware of it now??
This is not exactly correct, it's not as cut and dried as that.
First off, the 72 hour clock only starts when the controller is reasonably sure that an actual security incident has occurred. In this case, there is yet to be presented any evidence that the exposure of email addresses is due to a failure in process. It is possibly the case that these users always had their email addresses exposed because they chose to. In any case, the 72 hour clock only starts when the investigation finds a breach has taken place, it doesn't start when a possible issue is reported.
Secondly, while the default position is to report breaches, the data controller if they are satisfied that the breach is limited in nature and is unlikely to present a risk to those affected, can opt to not report the breach, but they are obliged to internally log the issue as well as their justification for not reporting. This is probably an option in this case. Exposure of email addresses only is unlikely to present any risk "to the rights and freedoms of natural persons". That's up to boards to decide though.
Thirdly, there is no obligation on any company to issue a public statement or comment in relation to data breaches. Only individuals who've had their data exposed AND are likely to experience a high level of risk, are required to be notified. There is a general practice of making comments or statements because it's better PR than trying to sit on it, but there is no general public entitlement to be informed of data breaches - or of the company response to them - which don't personally affect you.
Lastly, the Irish DPC isn't in the habit of issuing fines. A small breach like this reported to the DPC would get nothing more than a "Thanks for letting us know" response.
The amount of noise and panic made about companies having to be GDPR compliant, gave the impression that it was a lot more strict and punitive than it actually is.
Boards need to modify their robots.txt file immediately
https://www.boards.ie/robots.txt
At the moment profile comments and discussions are blocked but actual profiles aren't.
Also once this is updated it can take weeks before Google fully re-indexes the site again (this can be pushed through quicker if Boards have a Google Webmaster Tools account)
Right, so if someone’s email address can be tied to a post exposing that they once cheated on their partner or was investigated at work etc. etc. It’s up to Boards to decide if that’s considered a risk?