Tory Conference App Security Blunder Exposes Ministers' Personal Details

Boris Johnson’s 'position' was immediately changed to 'twat'.
|
Open Image Modal
App Store

The tech company behind the Conservative Party conference app has accepted responsibility for a major flaw which temporarily allowed anyone to login in and view the personal details of others using it - including Cabinet ministers.

The CPC 2018 app allowed anyone to log in as a politician, delegate or journalist attending the Birmingham event simply using their email address.

Several ministers, including those in roles with top-ranking security clearance, were reported to have received nuisance calls from members of the public after Saturday’s breach.

The blunder was discovered by journalists attending the annual Tory conference.

Jacobin’s Dawn Foster tweeted screenshots showing how she could log into Boris Johnson’s account without being asked for a password or provide confirmation.

Once in, Johnson’s personal details which he’d provided to sign up to the app were freely available. 

All profiles could also be edited by anyone - Michael Gove’s picture was replaced with one of Rupert Murdoch and Johnson’s “position” was changed to “twat”.

The Mirror reports Johnson’s profile picture was momentarily changed to “hardcore pornography”.

The app, created by an Australian firm called Crown Comms, was updated and the login function removed after concerns were raised with the party.

A Conservative spokesman said: “The technical issue has been resolved and the app is now functioning securely. We are investigating the issue further and apologise for any concern caused.”

Users of the app were emailed about the error by the Conservative Party on Sunday.

The email said that only a “small number of conference attendees” were affected by the fraudulent access.

It read: “We want to assure you that no other information that you may have provided when registering to attend conference was involved.

We take this very seriously.

The technical error was resolved within 30 minutes after being brought to our attention, the Conference App is now functioning securely and we have made an initial data breach report to the Information Commissioners Office.

But it’s not good enough that people’s data may have been made available and we are disappointed that we have been let down by a third party supplier - CrowdComms.”

A statement from CrowdComms said: “An error meant that a third party in possession of a conference attendee’s email address was able, without further authentication, to potentially see data which the attendee had not wished to share - name, email address, phone number, job title and photo. The error was rectified within 30 minutes.

“It is likely that it affected a very small proportion of attendees and we are working with the Conservative Party to ensure any potentially affected attendees are notified.

“We will also be reporting this to the ICO and reviewing and amending our Data Policies. We apologise unreservedly to the Conservative Party and their delegates.”

Theresa May was asked about the blunder when arriving in Birmingham on Saturday afternoon but refused to answer. 

One person who will be particularly panicked about the incident is Brandon Lewis who was due to unveil the app as part of overhauling “the oldest and most successful political party in the world” in his opening conference speech tomorrow.

Jon Trickett, Labour’s Shadow Cabinet Office minister, said: “How can we trust this Tory Government with our country’s security when they can’t even build a conference app that keeps the data of their members, MPs and others attending safe and secure?

“The Conservative Party should roll out some basic computer security training to get their house in order.”

In a further jab at the Tories’ predicament, Momentum offered to help build next year’s app for them.

An spokesperson for the Information Commissioner’s Office, said: “We are aware of an incident involving a Conservative Party conference app and we will be making enquiries with the Conservative Party.

“Organisations have a legal duty to keep personal data safe and secure. Under the GDPR they must notify the ICO within 72 hours of becoming aware of a personal data breach, if it could pose a risk to people’s rights and freedoms.”

A cyber security breach is particularly embarrassing for the Tory Government that has pot the issue at the heart of many of its initiatives.

In April it was announced a new £13.5 million cyber security innovation centre is to be developed in the Queen Elizabeth Olympic Park in London as part of the Government’s £1.9 billion investment in keeping the UK safe online.