A malfunctioning mobile app has left the Conservative Party red-faced after users were able to access phone numbers and other personal details of Cabinet ministers, as the party's conference kicked off in Birmingham this week.
Events industry app developer, CrowdComms, apologized “unreservedly” for the incident, explaining in a statement that it became aware of unusual activity on the platform over the weekend.
“An error meant that a third party in possession of a conference attendee's email address was able, without further authentication, to potentially see data which the attendee had not wished to share — name, email address, phone number, job title and photo,” it noted.
“The error was rectified within 30 minutes. It is likely that it affected a very small proportion of attendees and we are working with the Conservative Party to ensure any potentially affected attendees are notified.”
Before the issue was fixed, various Cabinet ministers reportedly received prank calls and some had their headshots on the app changed: former foreign secretary Boris Johnson’s pic was apparently changed to a pornographic image.
Mark Noctor, VP EMEA at Arxan Technologies, argued that organizations must start treating their applications as the new endpoint.
“Apps needs to be protected from compromise or attackers can effectively bypass security controls and have access to cryptographic keys, payload formats, credentials, API endpoint references and so much more,” he warned.
“As the party of government, the Tories are meant to be passing and enforcing laws. This would appear to be a breach of GDPR law, raising to the fore whether enough has really been done to ensure data privacy. There need to be regulations that require app security to be in place and not just seen as a ‘tick box activity’ as it may have been in the past.”