The Conservative Party Conference, which is taking place 30 September to 3 October at the ICC Birmingham, was subject to a security failure by its mobile app.
The flaw allowed anyone with an MP’s password to gain access to personal details without a password prompt. Crowdcomms, which makes the app, spotted the issue and claim to have rectified it within 30 minutes.
A statement on Crowdcomms’ website read: “On Saturday 29 September at around 1350 UK time we were made aware that a small number of attendee profiles were fraudulently accessed on the app that we are providing for the Conservative Party Conference.
“An error meant that a third party in possession of a conference attendee’s email address was able, without further authentication, to potentially see data which the attendee had not wished to share – name, email address, phone number, job title and photo.
“The error was rectified within 30 minutes. It is likely that it affected a very small proportion of attendees and we are working with the Conservative Party to ensure any potentially affected attendees are notified.
“We will also be reporting this to the ICO and reviewing and amending our Data Policies. We apologise unreservedly to the Conservative Party and their attendees.”
Guardian reporter Dawn Foster spotted the security breach, claiming she accessed Boris Johnson’s personal details.
She said on Twitter: “The Tory conference app allows you to login as other people and view their contact details just with their email address, no emailed security links, and post comments as them. It’s let me login as Boris Johnson, and just straight up given me all the details used for his registration.”
