Two board members at British Mensa have quit after accusing the society for people with high IQs of substandard cyber security practices that could expose the personal data of thousands of its members.
Eugene Hopkinson, a director at British Mensa since 2018, announced his decision to stand down on Monday, publishing an open letter explaining his reasons for quitting the board of the organisation that has grown to include 18,000 UK members since its launch 75 years ago.
Mr Hopkinson, who until recently was the board’s technology officer, said he had battled to convince Mensa’s leadership team to tackle data security issues surrounding member passwords since 2018.
His biggest concern was that member passwords were not “hashed” or scrambled, making them potentially identifiable to hackers.
He told the Financial Times that Mensa holds a lot of sensitive information — including the IQ scores of members and failed applicants; instant messaging conversations on its website; payment card numbers from the online shop; as well as passwords, email details and home addresses.
Matters came to a head last week when the organisation’s chief executive, John Stevenage, informed the board that Mensa’s website was experiencing a cyber attack.
Mr Hopkinson, a former managing director at Goldman Sachs who now runs his own software business, said in his letter that he immediately requested a full investigation “as a high priority” to determine whether a data breach had occurred. However by Monday, this had not taken place, he added.
“At this point, I have no faith that the board will take adequate action to investigate this possible data security breach,” Mr Hopkinson said in his letter.
“If a breach is found to have taken place, I have no faith that the board and office will report it adequately . . . or take sufficient mitigating action to prevent further harm,” he added.
Mr Hopkinson’s partner and fellow British Mensa director Emily Shovlar announced her intention to quit the board on Thursday citing similar concerns in an open letter.
“I have no confidence that the Mensa administration will investigate this breach thoroughly, that it will learn any lessons from this experience, or that it will improve its negligent treatment of member data,” she said in the letter.
“Most of all I have no confidence that the board will communicate truthfully with members about any of this, or any other risk to member wellbeing. I find my position on the board untenable.”
Mensa said it was undertaking an investigation into the cyber attack which “involved considerable resources”.
A spokesperson said: “There has been a series of events which appear to be designed to discredit Mensa’s systems. As a result, we have handed details of these events to the Information Commissioner’s Office with a view to pursuing a criminal investigation.”
The spokesperson added that member passwords were encrypted; were never sent out or stored as plain text; that additional work on hashing passwords was “being completed”; and that additional security measures had been put in place as a precautionary measure.
The resignations have sent shockwaves through Mensa’s online forums.
On a private British Mensa Facebook group with more than 2,000 members, one post called for an extraordinary general meeting to discuss the events surrounding Mr Hopkinson’s departure. By Friday, the post had drawn 92 responses from Mensa members with several supporting the call for an EGM.
One member, speaking privately, said he has long had concerns about Mensa’s approach to handling member data. His Mensa password had been emailed to him by the organisation in plain text within the past 12 months.
He said he was “pretty upset” by the claims in Mr Hopkinson’s resignation letter, adding: “If they are not storing passwords in the appropriate way, it is concerning how they might be storing financial data as well.
“To keep my membership with Mensa, I would need them to make it very clear that they are storing member data in the appropriate way.”