This weekend, members of the UK’s Conservative Party kicked off their annual conference in Birmingham, using the event to highlight their plans and priorities for the coming year. This year’s event had a rocky start: its official app allowed users to access personal contact information of other attendees, without a password.
According to the BBC, the app had a button that allowed users to press a button and enter an attendee’s e-mail address, which gave them access without prompting them for a password. Several attendees reported that they were not only able to access non-public information in the accounts of various party members such as phone numbers and e-mail addresses, but they could also change said information. Various high-profile cabinet members had their accounts vandalized, while two cabinet members reportedly received prank calls because of the vulnerability.
CrowdComms, the company behind the app released a statement this morning, apologizing for the oversight and noted that the issue had been fixed “within 30 minutes,” although there were apparently lingering issues, such as push notifications going to the wrong people.
The incident has prompted numerous inquiries: Conservative Party chairman Brandon Lewis said in a tweet that the party was investigating the incident, while the Information Commissioner’s Office, the body responsible for upholding information rights, says that it’s aware of the incident, and that it’s “making enquiries with the Conservative Party.” The Telegraph notes that if it’s found to have violated European laws regarding data protection, the party “could face a fine of up to 4 [percent] of its income”, or £2 million. It’s an embarrassing start to the Party’s conference, which had touted the app as a way to overhaul the party’s image as an out-of-touch political party.