Guardian newspaper columnist Dawn Foster posted images on Twitter this weekend showing how she was able to login to the official Conservative party conference app as Boris Johnson, until recently the UK Foreign Secretary. Not only was there no password required to login to the app, all that was required was an email address, but once in all the details of user registration were accessible. So, in the case of Alexander Boris de Pfeffel Johnson (yes, that is his real name) that meant contact details such as his mobile phone number. It also meant that the logged in user could then post messages and comments in the account holders name.
The Conservative party issued a statement on Saturday which apologised for "any concern caused" and confirmed that "the technical issue has been resolved and the app is now functioning securely." However, not before Boris Johnson's profile image had been changed to a pornographic one and that of Environment Secretary, Michael Gove, swapped for a picture of Rupert Murdoch. Some ministers, and other MPs, apparently reported receiving nuisance calls following the app breach.
The Information Commissioner's Office has confirmed that it is investigating the incident, and bite the Tories with a large fine. Under the EU General Data Protection Regulation (GDPR), which the app stated it complied with in it's privacy policy, that could be in the millions.
You may well think that this particular breach is somewhat small fry, rather than big fish, in terms of the numbers of people and type of data exposed. And you'd be right, were it not that some of the people whose details have been shared online are very big fish indeed within the Conservative party and the UK Government. This means that the political fallout could be more problematical than the regulatory financial consequences. Especially when you consider the push for more regulation of social networks, law enforcement access to encrypted to data and the like, from the direction of, erm, the Tories. One has to wonder how they are proposing to keep all the data collected by increased snooping powers safe when they cannot even secure a relatively simple, and distinctly small, thing as a conference app.
