Sometimes, you hear of security issues that baffle the mind. Worse they could have been easily avoided, and also handled much better in the security incident aftermath.
February saw a security issue that fits nicely into this camp, and it continues to rage on this week. Ironically, it involves one of the branches of an international organization most of us would consider full of smarts: Mensa.
The British branch of Mensa, the society for people in the UK with high IQs, admitted last week that it has been hit by a cyber attack.
(Did you know that the word Mensa is Latin for ‘table’, and this is displayed in both the Mensa International and British Mensa chapter logo. Apparently it was used to demonstrate the round-table nature of the organisation; the coming together of equals. If only they took their own advice….)
It seems the organization failed to properly secure the passwords on its website, leading to the inevitable theft of members’ personal data. 18,000 members of this branch were affected, according to the Financial Times.
Eugene Hopkinson, the former director and technology officer at British Mensa, stood down this week, after revealing publicly that the organization had failed to protect its members.
According to Forbes, Hopkinson claimed that the stored passwords of Mensa members were not hashed, potentially allowing hackers to unscramble them. A spokesperson for Mensa told the FT that member passwords had been encrypted and that the organization was in the process of hashing passwords.
Hashing performs a one-way transformation on a password, turning the password into another String, called the hashed password. “One-way” means that it is practically impossible to go the other way – to turn the hashed password back into the original password.
For security reasons, storing passwords in hashed form is highly recommended. This approach safeguards the contents of a database against unauthorized access.
But take heed. As explained in Wired, “In theory, no one, not a hacker or even the web service itself, should be able to take those hashes and convert them back into passwords. But in practice, some hashing schemes are significantly harder to reverse than others.
Hopkinson told the Financial Times that he believed the sensitive information being insecurely stored by Mensa includes:
Based on some reports, there seems to be a lot of public infighting going on, some blaming the former director of technology; others blaming the head honchos for not taking it IT security seriously. Whatever turns out to be the case, I am willing to bet that none of this media noise does anything for the players or the organization.
I mean, since this public announcement, the British Mensa website continues to be unavailable, merely displaying a message saying “site under maintenance.”
Even from the outside-looking-in vantage point, this security mess highlights a few key takeaways that might help you with your internal struggle to improve security in your organization.
If you need more advice on how to nail down your information security, contact the experts at TBG Security. We are here to help.