Tory Party Conference app responsible for major security leak
The Conservative Party found out just how fickle technology can be as its party conference app let users see and edit sensitive data of key party members, journalists and other attendees.
The app, released to let Conservative Party Conference attendees access conference schedules, floor plans and leave feedback on ongoing talks, was used by hundreds during the 30 September to 3 October event. The interactive app was designed, in part, to help it appeal to a younger demographic – something the Tories have struggled to attain of late.
However, users were quick to notice that the app could also be used to see and edit personal information about other attendees and speakers, including phone numbers. Many high-profile figures, such as Boris Johnson and Michael Gove, had their profiles edited, but the error also meant contact details and personal information of regular attendees and journalists was also made available.
Access to the app was restricted to attendees but it only required an email address to sign up. Given that the emails of many high-profile Conservatives are on public record, the app could be accessed by anyone with access to a working email.
The Conservative Party blamed app developers Crowd Comms for the error, saying in an email apology issued to attendees that “we are disappointed that we have been let down by a third party supplier”. However, the party has been criticised for the time it took to respond to the issue and the complete lack of an actual apology in the email. In addition, The Information Commissioner’s Office (ICO) is to investigate the extent of the issue.
“If these vulnerable front-end pieces of critical infrastructure are not developed securely from the outset, then an embarrassing breach may be the least of your worries, explained Mark Noctor, VP EMEA of application security company Arxan Technologies. “There need to be regulations that require app security to be in place and not just seen as a ‘tick box activity’”.
Noctor also suggested the snafu “would appear to be a breach of GDPR law”, meaning the Conservatives could face a hefty fine if they’re not careful.
With the Conservative Party’s plan to prove its technological competency backfiring, hopefully it will help members reflect on the party’s relationship with tech. But, seeing as a Conservative MP had her website hacked (in a blog post about the breach), this seems unlikely.