Takeaways from the British Mensa Security Drama

Sometimes, you hear of security issues that baffle the mind. Worse they could have been easily avoided, and also handled much better in the security incident aftermath.

February saw a security issue that fits nicely into this camp, and it continues to rage on this week. Ironically, it involves one of the branches of an international organization most of us would consider full of smarts: Mensa. 

The British branch of Mensa, the society for people in the UK with high IQs, admitted last week that it has been hit by a cyber attack. 

(Did you know that the word Mensa is Latin for ‘table’, and this is displayed in both the Mensa International and British Mensa chapter logo. Apparently it was used to demonstrate the round-table nature of the organisation; the coming together of equals. If only they took their own advice….)

It seems the organization failed to properly secure the passwords on its website, leading to the inevitable theft of members’ personal data. 18,000 members of this branch were affected, according to the Financial Times. 

Eugene Hopkinson, the former director and technology officer at British Mensa, stood down this week, after revealing publicly that the organization had failed to protect its members. 

According to Forbes, Hopkinson claimed that the stored passwords of Mensa members were not hashed, potentially allowing hackers to unscramble them. A spokesperson for Mensa told the FT that member passwords had been encrypted and that the organization was in the process of hashing passwords. 

Hashing performs a one-way transformation on a password, turning the password into another String, called the hashed password. “One-way” means that it is practically impossible to go the other way – to turn the hashed password back into the original password.

For security reasons, storing passwords in hashed form is highly recommended. This approach safeguards the contents of a database against unauthorized access. 

But take heed. As explained  in Wired, “In theory, no one, not a hacker or even the web service itself, should be able to take those hashes and convert them back into passwords. But in practice, some hashing schemes are significantly harder to reverse than others. 

Hopkinson told the Financial Times that he believed the sensitive information being insecurely stored by Mensa includes:

• the IQ scores of members and failed applicants
• instant messaging conversations on Mensa’s website
• payment card details from Mensa’s online shop
• passwords
• email addresses
• home addresses

Based on some reports, there seems to be a lot of public infighting going on, some blaming the former director of technology; others blaming the head honchos for not taking it IT security seriously. Whatever turns out to be the case, I am willing to bet that none of this media noise does anything for the players or the organization. 

I mean, since this public announcement, the British Mensa website continues to be unavailable, merely displaying a message saying “site under maintenance.”

Even from the outside-looking-in vantage point, this security mess highlights a few key takeaways that might help you with your internal struggle to improve security in your organization. 

1. Make sure the person in charge of security in your organization has a clear budget, responsibilities and clear goals to maintain and/or improve security. Remember that these parameters should not be set until a risk assessment is performed by a trusted third party – like TBG Security – to highlight the issues and help you prioritize your security goal for the next term. 
2. An unsupported, disrespected, under-resourced, and therefore frustrated head of Information Security is a dangerous prospect for any organization. Make sure that the powers that be check with IT, listening to the challenges and work-arounds. Plus you might want to ensure the board get regular written reports on the services and any perceived IT security risks. Having a third-party supplier that is also responsible for reporting to the board on a regular basis cannot only mitigate risks but also add assurances that the right security areas are being focused upon. 
3. Remind yourself of that old adage: protect your customers. The real victims here are the British Mensa members whose private and personal data has been stolen. Without your customers – or in this case members – there is little reason to exist at all. They are now all vulnerable to spear phishing, targeted social engineering attacks, spamming – you name it. 
4. If you suffer a security incident, do not try and hide it. Report it immediately to the appropriate authorities in your jurisdiction. 

If you need more advice on how to nail down your information security, contact the experts at TBG Security. We are here to help.