Data breach of UK Conservative party app highlights the problems with app design

October 2, 2018 |

Apps are notorious for their poor security. App developers spend most of their time designing and writing code for an app which will attract a quick and widespread pick up.  The focus is working out what tool will be popular and useful then working frantically to release it to the market.  Data security is generally generic and an afterthought.  There is little money in security.  Until things go wrong.

Apps in politics and with civil society actions are becoming part of the woodwork.  Communicating and mobilising via an app is considerably cheaper than a phone tree and more accessible for younger activists than email.  And political parties are keen to appear connected to younger voters and members.  Which is what the conservatives attempted with its app for a recent conference starting last Sunday

Of course the problems with data security apply.  As the UK conservative party found when its conference app failed, revealing MPs phone numbers and other personal information as reported by the BBC and the Guardian.   The design failure was quite stark, by pressing the attendees button and typing in the MP’s email address, which is hardly secret.  Once done the app revealed the MPs personal information.  A big mistake.  The chairman of the conference is under pressure to resign.

The BBC article provides:

Conservative MPs including Boris Johnson have had their phone numbers and other personal details revealed by the party’s conference app.

A Guardian columnist highlighted the security breach on Twitter and the BBC was also able to access private details of people attending the event.

The Conservative Party apologised for “any concern caused” and said “the technical issue has been resolved”.

The Information Commissioner’s Office said it would be making inquiries.

BBC political correspondent Chris Mason said the technical glitch was “deeply, deeply embarrassing” for the party.

The Guardian’s Dawn Foster, who is attending the conference, tweeted about the security breach and said she had been able to access the former foreign secretary’s personal details, including his mobile phone number.

She shared a redacted picture of Mr Johnson’s profile, which did not reveal his phone number.

It appears that people could access an MP’s personal details by entering their email address, without a password, when pressing the attendee’s button in the app.

This button has since been removed on the app, which was created by Australian firm Crowd Comms.

Conservative Party chairman Brandon Lewis said the app was “now functioning securely” and the party would be “investigating the issue further”.

On Thursday the Evening Standard reported Mr Lewis was set to “unveil the first ‘interactive’ conference app” on Sunday in a bid to overhaul the Conservatives image, and appealing to the younger voter.

Prime Minister Theresa May, who was arriving at the conference in Birmingham, ignored questions from reporters about the security blunder.

The Press Association said the details of Environment Secretary Michael Gove had also been shared online.

‘A bumpy start to a bumpy conference’

By Chris Mason, BBC political correspondent, in Birmingham

On the very day Business Secretary Greg Clark expressed concern about Facebook’s security breach, the Conservative Party has had to say sorry for its own.

This conference hasn’t even started yet, but officials are already rattled.

One Conservative source described it to me in very colourful, unbroadcastable terms, in a text message he sent me by accident.

Was this a breach of national security? No. Was it an unforced error the party could do without, and a bumpy start to what was already likely to be a bumpy conference? Yes.

And this may well not be the end of it, with the Information Commissioner’s Office now involved.

Pictures on Twitter show people apparently changing individuals’ profile pictures and leaving messages on the app’s internal messaging system.

One Twitter user posted a snapshot of Mr Gove’s profile picture, which had been changed to a snap of media mogul Rupert Murdoch.

Mr Gove previously worked as a journalist at The Times, one of Mr Murdoch’s papers.

The Information Commissioner’s Office (ICO) said it would be making inquiries about the breach and added that “organisations have a legal duty to keep personal data safe and secure”.

The ICO’s statement added under the EU’s new GDPR regulation, the Conservative Party has 72 hours to notify the regulator of a personal data breach that “could pose a risk to people’s rights and freedoms”.

One of Labour’s shadow cabinet, Jon Trickett, criticised the Conservatives for the breach and said: “How can we trust this Tory government with our country’s security when they can’t even build a conference app that keeps the data of their members, MPs and others attending safe?”

Labour’s grassroots campaign group Momentum said their party’s app had been developed by a team of volunteers, adding: “I’m sure they’d be happy to give the Tories a few tips next year.”

The Conservative Party conference is being held in Birmingham and is due to start on Sunday.

Leave a Reply

Verified by MonsterInsights