Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Conservative conference app: Brandon Lewis unable to confirm extent of data breach which leaked MP's mobile numbers

Data watchdog is looking into the system flaw, which allowed anyone to access private data belonging to conference attendees

Lizzy Buchan
Political Correspondent
Sunday 30 September 2018 13:41 EDT
Comments
Brandon Lewis refuses to say how many people affected by Tory conference app breach

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

The Conservative Party chairman has been unable to reveal the true extent of a major data breach which exposed cabinet ministers’ private details on the party’s official conference app.

Brandon Lewis said the party was treating the system flaw as a “serious matter” which affected a “limited number” of people, but he refused to give further details after repeated questions about how many people had been affected.

The blunder could cost the Tories up to £2m in fines and raises serious security questions, as high-ranking government ministers such as the defence secretary Gavin Williamson were reportedly affected.

It also risked overshadowing the first day of the Conservative conference in Birmingham, where Theresa May is already facing rampant Brexit infighting and questions over her leadership.

Mr Lewis told Sky News’s Ridge on Sunday: “Any breach of data is a serious matter, that’s why we are taking it seriously. We are investigating, we have already contacted the Information Commissioner and we will be putting in a fuller report to them.

He went on: “This will affect people where somebody has guessed or knew somebody’s email address and was able to therefore log in as them.

“So it will be a limited number of our delegates here but we are contacting the delegates at conference to explain to them exactly what has happened and what they can do about that.”

Asked who was responsible, he said: “I can’t get into the details at the moment in terms of the numbers because we are doing the investigation at the moment, working with the company who supplied the app, who supply companies like Barclays and Nissan and Ebay for conferences and things around the world.”

He said the problem had been fixed within half an hour of uncovering the security issue and the app was functioning securely.

Pressed on whether the breach could ramp up abuse to politicians, he said: “We are doing a full investigation to see what exactly and who exactly was able be accessed in this way.”

Mr Lewis also sidestepped questions about whether he would resign over the debacle and said his priority was ensuring the problem is addressed.

The security breach was discovered on Saturday when users noticed they could access private data for any attendees, simply by logging into the app using an email address.

Some users accessed Boris Johnson’s profile, which provided them with the ex-foreign secretary’s phone number, while others reportedly posted pornography as his profile picture.

An ICO spokesperson said: “We are aware of an incident involving a Conservative Party conference app and we will be making enquiries with the Conservative Party.

“Organisations have a legal duty to keep personal data safe and secure. Under the GDPR they must notify the ICO within 72 hours of becoming aware of a personal data breach, if it could pose a risk to people’s rights and freedoms.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in