A flaw in an app used by people attending the Conservative party conference has exposed all contact details and other personal information on those registered to attend the conference – including those of senior Tory party members, such as Boris Johnson. The app also allowed anyone to make changes to the details.
As a result of contact details becoming public, several MPs and ministers received prank phone calls. The gaffe enables anyone to access profile information by using a politician’s email address (which are easy to find online) and view and edit stored data.
According to a tweet sent by Guardian columnist Dawn Foster, the Tory conference CPC18 app "allows you to login as other people and view their contact details just with their email address, no emailed security links, and post comments as them".
"They’ve essentially made every journalist, politician and attendee’s mobile number public. Fantastic," she added.
The error saw former foreign secretary Boris Johnson have his profile picture changed to a pornographic image and his job title changed to show a profane insult.
Environment secretary Michael Gove’s picture was changed to that of Rupert Murdoch, his former employer when Gove was employed as a journalist.
According to reports from the Independent, Conservative Party chairman Brandon Lewis said that the flaw was a "serious matter", affecting a "limited number" of people.
He added on Sky News’s Ridge on Sunday that "any breach of data is a serious matter, that’s why we are taking it seriously. We are investigating, we have already contacted the Information Commissioner and we will be putting in a fuller report to them."
In a statement, the Conservative Party said: "The technical issue has been resolved and the app is now functioning securely. We are investigating the issue further and apologise for any concern caused."
The app, created by an Australian firm called Crown Comms, has since been updated and the login function removed after concerns raised by the party. It claimed the flaw was spotted and rectified within 30 minutes.
A statement on Crowd Comms’ website read: "On Saturday 29 September at around 13:50 UK time we were made aware that a small number of attendee profiles were fraudulently accessed on the app that we are providing for the Conservative Party Conference.
"An error meant that a third party in possession of a conference attendee’s email address was able, without further authentication, to potentially see data which the attendee had not wished to share – name, email address, phone number, job title and photo.
"The error was rectified within 30 minutes. It is likely that it affected a very small proportion of attendees and we are working with the Conservative Party to ensure any potentially affected attendees are notified.
"We will also be reporting this to the ICO and reviewing and amending our Data Policies. We apologise unreservedly to the Conservative Party and their attendees."
Mark Noctor, VP EMEA at Arxan Technologies, told SC Media UK that the Tory app data breach this weekend is just yet another example of how all organisations, whether they are the nation’s governing party or not, must change their mindsets and treat applications as though they are the endpoint.
"With a whole host of data available, potentially more critical than party member contact details, if these vulnerable front-end pieces of critical infrastructure are not developed securely from the outset, then an embarrassing breach may be the least of your worries. Apps needs to be protected from compromise or attackers can effectively bypass security controls and have access to cryptographic keys, payload formats, credentials, API endpoint references and so much more," he said.
Noctor said that as the party of government, the Tories are meant to be passing and enforcing laws. This incident would appear to be a breach of GDPR law, raising to the fore whether enough has really been done to ensure data privacy.
"There need to be regulations that require app security to be in place and not just seen as a ‘tick box activity’ as it may have been in the past," he said.