Defence Minister's Phone Number Leaked in Tory App Blunder - School Kids First to Prank
THE CONSERVATIVE Party is facing a big data-breach fine after the mobile phone numbers of MPs were leaked on an App - including the highly-sensitive details of Defence Minister Gavin Williamson.
A security flaw meant anyone downloading the party's official App ahead of its conference in Birmingham could log in as a registered attendee - using just an MP's public email address - without a password.
Once inside, the private personal contact details of hundreds of Ministers and MPs were openly available, and their profile photographs vulnerable to being changed.
I called the Defence Minister Gavin Williamson, to check if the numbers worked. It did, it was real. His number was on there. It's 07*** 00**47. I said: 'Hey! Who's that? And he said: 'Who's that?'
It left the Brexit-torn Tory hierarchy at the mercy of mischief makers, one of whom substituted former Foreign Secretary Boris Johnson's photograph for hardcore pornographic images.
And two sixth form politics students from South East London were among the first to mischievously exploit the digital security loophole, which has left the Government in potential breach of GDPR laws.
One of the17-year-olds rang South Staffordshire MP Mr Williamson - the man responsible for the nation's military security - after hacking into the freely-available database.
Asking not to be named, he told Byline: "I called the Defence Minister Gavin Williamson, to check if the numbers worked. It did, it was real.
"His number was on there. It's 07*** 00**47. I said: 'Hey! Who's that? And he said: 'Who's that?'"
"I didn't have time to do any other ministers because I've got a Saturday job. But it was fun."
The enterprising youngster added: "My friend also called Gavin Williamson - then he hung-up on both of us.
"I've got him as a contact on my phone now. I'm doing Government and Politics at A-Level."
Organisations have a legal duty to keep personal data safe and secure. Under the GDPR they must notify the ICO within 72 hours of becoming aware of a personal data breach, if it could pose a risk to people’s rights and freedoms ~ ICO
The youth said it was shockingly simple to gain the sensitive details, which in the wrong hands could leave top Tories open to hostile surveillance.
He said: "We first found out about the leak at around 2:30 in the afternoon today, from another mate.
"I basically tapped on the 'Attendees' icon of the conference app - and all the numbers were there.
The system flaw, which was fixed quickly, allowed users to log in as delegates, due to attend the Tory party conference next week.
Using their emails, anybody could sign-in, and download hundreds of phone numbers and personal details of high-profile politicians, including Boris Johnson.
The breach is a potential violation of GDPR data protection laws and a huge embarrassment for the Tories - who have vowed to 'regulate the internet' and crack down on the irresponsible data use.
If the phone numbers were not already publicly available, then the Party faces the prospect of a large fine from the data watchdog, the Information Commissioner's Office (ICO.)
Manchester-based cyber security expert Kevin Beaumont criticised the App's developers for failing to carry out "basic due diligence".
According to the App's 'about' section, it was designed by Australian firm CrowdComms, which claims it "delivers seamless event tech solutions."
Mr Beaumont said: "The Conservative party mobile app had no requirement for a password, just an email address, to view and edit details.
"Unfortunately MPs' email addresses are public record - they’re on the Parliament website - so there was essentially no security whatsoever to access personal information.
"A basic due diligence assessment by the company, who made the app, would have picked this up, assuming basic competence."
The Conservative Party has since apologised to its delegates, blaming CrowdComms, which itself has apologised "unreservedly" for its "error".
An ICO spokesperson said: "We are aware of an incident involving a Conservative Party conference app, and we will be making inquiries with the Conservative Party.
"Organisations have a legal duty to keep personal data safe and secure. Under the GDPR they must notify the ICO within 72 hours of becoming aware of a personal data breach, if it could pose a risk to people’s rights and freedoms.”
A Conservative spokesman added: "The technical issue has been resolved and the app is now functioning securely. We are investigating the issue further and apologise for any concern caused."