Leon Neal/Getty Images
show image

Oscar Williams

News editor

Developer CrowdComms issues “unreserved apology” for security flaw in Tory conference app

CrowdComms, the Australian company behind the Conservative party conference app, has issued an “unreserved apology” for a security blunder that exposed Cabinet ministers’ phone numbers.

Delegates took to Twitter over the weekend to highlight shortcomings in the app’s security that meant anyone could log into an account if they knew or could guess its email address.

Chancellor Philip Hammond and former foreign secretary Boris Johnson were among the senior Conservatives whose phone numbers were exposed as a result of the flaw.

CrowdComms said it rectified the issue within 30 minutes – but not before MPs’ accounts were vandalised by members of the public. Johnson’s profile picture was replaced with hardcore pornography, while a photo of Rupert Murdoch was attached to environment minister Michael Gove’s profile.

The Conservative party emailed delegates about the incident on Sunday (30 September), almost 24 hours after it was first reported, claiming it affected a “small number of conference attendees”.

“The technical error was resolved within 30 minutes after being brought to our attention, the Conference App is now functioning securely and we have made an initial data breach report to the Information Commissioners [sic] Office,” the statement continued.

“But it is not good enough that people’s data may have been made available and we are disappointed that we have been let down by a third party supplier – CrowdComms.”

It is the second year running that the conference has been overshadowed by operational issues. Last year, part of the backdrop fell down during Theresa May’s speech and a prankster handed the prime minister a P45.

In a statement, CrowdComms said: “An error meant that a third party in possession of a conference attendee’s email address was able, without further authentication, to potentially see data which the attendee had not wished to share – name, email address, phone number, job title and photo. The error was rectified within 30 minutes.

“It is likely that it affected a very small proportion of attendees and we are working with the Conservative Party to ensure any potentially affected attendees are notified.

“We will also be reporting this to the ICO and reviewing and amending our Data Policies. We apologise unreservedly to the Conservative Party and their delegates.”

The Information Commissioner’s Office said it was making enquiries.