The website of Mensa – the club for people who have scored highly in an IQ test but who feel their social lives would be improved by hanging out with other people who chose to join a club after scoring highly in an IQ test – is said to have suffered a cyber attack.
In an email to members, British Mensa said that “extensive investigations” by its hosting company and web developers have found “no evidence” that any data had been lost.
The discovery of an attack was swiftly followed by two of British Mensa’s board members quitting, citing concerns that the organisation is not properly protecting members’ data.
Eugene Hopkinson, who until recently was the British Mensa board’s technology officer, has reportedly been trying to convince Mensa’s leadership team since 2018 that the organisation needs to stop storing passwords in plain text.
Hopkinson told the Financial Times that he believed the sensitive information being insecurely stored by Mensa includes:
- the IQ scores of members and failed applicants
- instant messaging conversations on Mensa’s website
- payment card details from Mensa’s online shop
- email addresses
- home addresses
Since the resignations, British Mensa has shared limited details of other security incidents:
This week, a series of incidents have occurred which appear to be designed to discredit Mensa’s systems. One of these incidents did involve a breach of the private data of two members. The source of where that data was harvested is part of the investigation.
Throughout these incidents the society has been taking specialist data protection legal advice, and this incident has been reported by our solicitor to the Information Commissioner’s Office with a view to a criminal investigation. A significant amount of evidence has already been collected and should the ICO decide to pursue a criminal action, Mensa will support the decision fully.
According to a Forbes report, the Mensa site was accessed by someone using the login credentials of one of the organisation’s directors.
Whether the unauthorised access occurred because passwords were being stored without proper due care or security by Mensa, or because of carelessness by the director, or whether it is entirely unconnected to recent events is unclear.
But what is plain for anybody to see is that for the last couple of days, if you were to visit the British Mensa website at https://www.mensa.org.uk/, you would be greeted with an announcement that explains, not terribly attractively, that it is “currently undergoing maintenance.”
One imagines the organisation is reviewing its site security, and feels more comfortable inelegantly shutting down the site temporarily rather than risking further abuse.
If the claims made by Hopkinson are correct, it doesn’t sound like Mensa is being terribly smart about its data security.
Passwords, for instance, should never be stored in plain text. They should instead be salted and hashed.
It seems to me that hashing passwords is just common sense, rather than a question of intellect.
For further discussion, make sure to listen to this episode of the “Smashing Security” podcast:
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.