UK Conservative Party conference app leaks MPs' personal details

MP members received prank calls, had their phone numbers and email addresses shared online.
Written by Catalin Cimpanu, Contributor

A mobile conferencing app developed for the UK's Conservative Party leaked the private details of people who registered to attend party conferences, including the details of party members and UK government officials.

Also: Why the NSA's cyber-weapons leak undermines institutional trust TechRepublic

The leak was discovered on Saturday afternoon, September 29, by Guardian columnist Dawn Foster who posted her findings on Twitter.

Foster discovered that anyone who wanted to attend a video conference using the Conservative Party's mobile app would only have to register using an email address.

The app didn't use any type of authentication mechanisms, such as passwords or one-time codes sent via email. A user only needed to type an email address into the app's login field to access a profile page.

Also: GDPR: What's really changed so far?

It didn't take long after Foster's revelations for Twitter users to realize that they only needed to guess a Conservative Party members' email address to access his or her account.

Some party members used official party or government-issued email addresses to register for the app, such as Michael Gove (UK's Secretary of State for Environment, Food and Rural Affairs) and Boris Johnson (Secretary of State for Foreign and Commonwealth Affairs), two leading figures of the Conservative Party.

Miscreants abused the app's faulty login system to either share user personal details online or change profile details.

For example, a user accessed Boris Johnson's account and changed the profile picture to a pornographic image, while another changed Michael Gove's profile image to a photo of Rupert Murdoch, his previous employer.

Some phone numbers and email addresses for high-profile British Members of Parliament (MPs) were shared on Twitter earlier today. Some received prank calls and messages.

In a statement on its website, the Information Commissioner's Office (ICO), the UK's privacy watchdog, said it was aware of the incident and "will be making enquiries."

"Organisations have a legal duty to keep personal data safe and secure. Under the GDPR they must notify the ICO within 72 hours of becoming aware of a personal data breach, if it could pose a risk to people's rights and freedoms," the ICO said.

Also: California governor signs country's first IoT security law CNET

Access to the app was shut down temporarily to prevent abuse after Foster's tweets, but the app is now back online ready for a party conference set to take place tomorrow, on Sunday, according to a tweet from Brandon Lewis, Chairman of the UK's Conservative Party.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Related stories:

Editorial standards