Security flaw in Tory conference app leaks attendee data

Senior Conservative figures such as Boris Johnson and Michael Gove had their accounts hacked after attendees guessed their email addresses

Glum Boris

A security flaw in the official Conservative Party conference app made its users' private data accessible to anyone with just an email address.

Third parties who either had or could work out a user's email address could access their accounts. Once logged in, they could see private information, such as phone numbers, or make changes to personal details and make them public.

Cabinet minister Michael Gove and former foreign secretary Boris Johnson both had their accounts hacked, with the latter's profile picture being changed to one featuring a pornographic image.

The leak also included attendees, such as members of the press. Guardian journalist Dawn Foster was one of the first to report the breach and tweeted a photo of a statement she received from the app.

"The technical error was resolved within 30 minutes after being brought to our attention, the Conference App is now functioning securely and we have made an initial data breach report to the Information Commissioner's Office (ICO)," a Tory spokesman said.

"But it's not good enough that people's data may have been made available and we are disappointed that we have been let down by a third party supplier - CrowdComms."

CrowdComms is an Australian company and it posted an apology to the Tory party saying of the breach: "it is likely that it affected a very small proportion of attendees."

Commenting on the breach, Mark Noctor, VP at Arxan Technologies, said that while the Conservative party may have stopped the leak of sensitive data, it raises concerns over the government's suitability in this age of data privacy.

"As the party of government, the Tories are meant to be passing and enforcing laws, this would appear to be a breach of GDPR law, rising to the fore whether enough has really been done to ensure data privacy," he said.

Both the Tory party and CrowdComms have made the ICO aware of the breach. In a statement, the ICO said: "We are aware of an incident involving a Conservative Party conference app and we will be making enquiries with the Conservative party.

"Organisations have a legal duty to keep personal data safe and secure. Under the GDPR they must notify the ICO within 72 hours of becoming aware of a personal data breach if it could pose a risk to people's rights and freedoms."

Featured Resources

Humility in AI: Building trustworthy and ethical AI systems

How humble AI can help safeguard your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Leadership compass: Privileged Access Management

Securing privileged accounts in a high-risk environment

Download now

Why you need to include the cloud in your disaster recovery plan

Preserving data for business success

Download now

Recommended

What is AES encryption?
Advanced Encryption Standard (AES)

What is AES encryption?

30 Nov 2020
UK's Huawei 5G ban brought forward to September 2021
Security

UK's Huawei 5G ban brought forward to September 2021

30 Nov 2020
Hacker claims to be selling C-suite executives' Microsoft credentials
Security

Hacker claims to be selling C-suite executives' Microsoft credentials

30 Nov 2020
What are biometrics?
Security

What are biometrics?

27 Nov 2020

Most Popular

Huawei Mate 40 Pro 5G review: A tragically brilliant Mate
Mobile Phones

Huawei Mate 40 Pro 5G review: A tragically brilliant Mate

26 Nov 2020
What is phishing?
phishing

What is phishing?

25 Nov 2020
Microsoft Teams no longer works on Internet Explorer
Microsoft Office

Microsoft Teams no longer works on Internet Explorer

30 Nov 2020