The Conservative conference app blunder is no laughing matter

In case you missed it, the official Conservative Party app for their 2018 conference was at the centre of a whole new conversation about data security after it emerged users were able to see – and amend – personal contact information for Ministers and MPs.

A security flaw which meant users were not asked for a password when signing in, meant that anybody could access the mobile numbers and email addresses of anybody attending the party conference – from Prime Minister Theresa May to members of the media.

Dawn Foster, a Guardian columnist, has been accredited with finding the flaw while testing out the app ahead of the conference in Birmingham, which starts tomorrow.

To her amazement, she was not asked for a password when signing into her own profile – and so tried it out with other accounts.

And she successfully signed in as Boris Johnson (but left unable to sign out), receiving all kinds of notifications intended for the former Foreign Secretary.

But while the principle of the Tory app being subject to a massive and hugely embarrassing security flaw is amusing, the situation is actually a lot more serious.

Even if Tory MPs have been critical of Facebook over its handling of the Cambridge Analytica row, and just a few hours before today’s flaw revealed were criticising the social media site for the hack of 50 million profiles.

And for the sake of not wanting to bore you, I’ll skip over the idea of mixing a genuine personal emergency phone calls with prank calls from members of the public. The idea of an attendee missing a critical personal call because they have been inundated with unsolicited calls brings me anxiety.

Prime Minister Theresa May. Image: tmay.co.uk

What I’m concerned about, is the sheer vulnerability of the data stored by the party in government.

Firstly, we know that today’s data leak concerned attendees of the party conference: Ministers, MPs, journalists, and other members.

We know that the data leaked were their mobile number, and email address.

For elected members of Parliament, email addresses are easily found on the GOV website, but personal mobile numbers are usually kept more secretive.

Now I didn’t sign up to attend the conference, and I don’t know whether individuals had to set a password to access their bookings online. But if the construction of the app did not request for a password for entry, then I wonder how secure the data is being stored.

This database, I also presume, would contain a little more information than just name, telephone, and email address too. In fact, a quick visit to the official conference website, a new registrant is required to provide details for your passport and driving licence, as well as home address, date of birth, and town of birth.

The Conservative Party also charge for tickets, so billings details would also, presumably, be stored somewhere here too.

All of this data, a lot of it sounds similar to the kind of security questions asked from social media and other websites. If I was speaking to my bank over the phone, these details would make up a large portion of the security answers I’d have to provide to verify my identity.

All of this data was in a form that was ultimately accessible, in part, without a password. Even if only three fields were visible.

What would have happened if the data, visible and invisible by the app, had been subject to a much greater threat: a hack?

It’s estimated that the security flaw was public facing for about two hours or so before taken offline. While a few members of the public caught onto it pretty quickly, it was mostly known only to journalists attending the conference.

But let’s imagine somebody with a little bit more than a basic understanding of app security learned about this – what kind of situation would the country be in where the personal details, including those not visible in the app, of senior cabinet ministers was leaked.

Do they run the risk of their mobiles being hacked? Their social media? Their internet banking? Could they be held to blackmail?

Criticise the party all you like for its handling of Brexit, or internal politics and leadership squabbles, but I’d really quite like them to not be distracted as the country enters what is arguably going to be the most hostile 6 months of post-war politics.

As for the party as an organisation? Fine them. I mean, the Information Commissioners Office (ICO) is already investigating. It’s clear to me that there was serious neglect in the build of this app – whether it’s the developers or the Conservatives to blame, there was neglect over the security of this data.


Note: Since publishing this blog post, a spokesperson for the Conservative Party has written to members and conference guests confirming that only the name, email addresses, phone numbers, job titles, and photos of conference attendees were “potentially accessible” to fraudulent access. The email states: “No other information that you may have provided when registering to attend conference was involved.”

Blog post updated: 30th September 2018 at 12pm to include the above note and statement from The Conservative Party.