We're responding to a developing story here on the Digital Insider as the news that a mobile app designed to support attendees at this year's Conservative Party Conference in Birmingham has leaked the personal details of several high profile MPs.
Discerning Digital's technical director Phill Clark takes a look at exactly what we know so far.
"With their annual party conference starting in Birmingham, the Conservatives have done what most political parties do and have launched a mobile app for the event with details of what is going on plus attendees and speakers. Users could register and choose what data could be publicly shared within the app to other users.
"All fine you might think, we all do similar things on social networks and other online services but there was one very big difference here."
"Once registered, you simply needed to enter your email address to access your account again.
"I’ll repeat that because like me, you might not quite believe that, you just needed to enter your email to access the account again. No password, no PIN, no authentication of any sorts, it appears."
"Where this story gets worse and worse, is then the fact that having entered the email address, the app profile page allowed full access to the users profile data and the ability to edit it.
"At this point, cue the realisation of smart users that given that organisational email address structures all follow the same format, with the knowledge of any Conservative attendees email address, you had free reign to both view and edit their details.
"Unsurprisingly, people started to put this to the test, something that it should be pointed out is actually an offence under The Computer Misuse Act 1990 regardless of the unbelievable flaws in the app's build."
"Twitter is now awash with screenshots, thankfully redacted, showing Cabinet Ministers, MPs and conservative members personal data - including the high profile Boris Johnson.
"To say I am shocked is an understatement. I genuinely cannot understand how this has happened. Primary school aged kids who get into coding would know this was a fatal security flaw so how has this happened?"
Breach of Personal Security
"The app whilst under the Conservative Party banner and App Store account, was built by a third party called CrowdComms who build event-based apps.
"Personally, I think there are some serious questions to be answered by both parties; the app developers for how they built a product that had ZERO security and how the Conservatives could not have spotted this when testing the app?
"Leaving the reputational damage for both the developers and political party aside, the security breach of data relating to Government Ministers is astonishing and unprecedented. The ICO will surely have a field day with this and there will be heavy financial penalties coming I am sure - they have announced their intention to speak to the Conservative Party already.
"There is a simple rule; never return user data if there hasn’t been a security credential authentication.
"This error is going to have huge ramifications for the reputation of the party and the Government. If it can happen to them then it can happen to you - always check login based functionality to a great depth to ensure there are no flaws; consider using white hat hackers and quite simply, make sure there is a requirement for a strong password as part of the login process!"
Data breaches pose a serious risk
Talk to us about mitigating these risks across your organisation.