Conservative MPs, including high-profile party figures such as Boris Johnson and Jeremy Hunt, have had their phone numbers, email addresses and other personal details revealed due to security flaws in the official conference app.
Dawn Foster, a columnist at the Guardian, first highlighted the security issues on social media and claimed she had been able to access Johnson’s personal details.
Several other Government ministers, including those with top-rank security clearance, reported they had received nuisance calls from the public following the breach.
Strong & Stable Security
The columnist shared a redacted picture of Johnson’s profile online, one which didn’t reveal his details. However, according to Foster, people could access an MPs personal information by entering their email address (without a password) when pressing the attendee’s button in the app.
In a statement, the Conservative Party said the button has been removed on the app. Party chairman, Brandon Lewis, said the app was now “functioning securely” and that the party would begin “investigating the issue further.”
Johnson wasn’t the only high-profile party figure to be affected by the security glitch. Images on Twitter showed people changing individuals’ profile pictures and leaving messages via the app’s internal messaging feature.
Michael Gove’s profile was allegedly switched for one showing media mogul, Rupert Murdoch. Gove previously worked as a journalist at The Times, which is owned by Murdoch’s media corporation.
Crowd Comms Responds
The app designer, Crowd Comms, is an Australia-based company. In a statement, the firm apologised for the error and highlighted that the issue was resolved within 30 minutes.
“On Saturday 29th September at around 1.50pm UK time, we were made aware that a small number of attendee profiles were fraudulently accessed on the app that we are providing for the Conservative Party Conference,” Crowd Comms said in a statement.
“An error meant that a third-party in possession of a conference attendee’s email address was able, without further authentication, to potentially see data which the attendee had not wished to share – name, email address, phone number, job title and photo
“The error was rectified within 30 minutes. It is likely that it affected a very small proportion of attendees and we are working with the Conservative Party to ensure any potentially affected attendees are notified.”
The Information Commissioner’s Office (ICO) released a statement saying it would begin making enquiries about the breach. The statement added that the glitch “could pose a risk to people’s rights and freedoms”.
It said: “We are aware of an incident involving a Conservative Party conference app and we will be making enquiries with the Conservative Party.
“Organisations have a legal duty to keep personal data safe and secure. Under the GDPR they must notify the ICO within 72 hours of becoming aware of a personal data breach if it could pose a risk to people’s rights and freedoms.”
For members of the opposition, the breach represents more than just a security issue. Jon Trickett MP, a member of Labour’s shadow cabinet, criticised the Conservatives and questioned the party’s ability to protect the country.
“How can we trust this Tory Government with our country’s security when they can’t even build a conference app that keeps the data of their members, MPs and others attending safe?” he asked.