The Conservative party has said it was "let down" by the developers behind its conference app after it accidentally allowed the personal mobile phone numbers of hundreds of MPs, journalists, and party members to be revealed to the public on its conference app.
A security flaw allowed anyone who downloaded the app to log in as any attendee to the party conference, which begins in Birmingham tomorrow, using only their email address. No password was required to view any attendee's personal details, including their mobile phone number.
No other information provided was accessible as a result of the breach.
I’m currently logged in to the Conservative Conference app as Boris Johnson and now have his phone number.
"It's not good enough that people's data may have been made available and we are disappointed that we have been let down by a third party supplier – CrowdComms," a Conservative spokesperson wrote in a statement on Sunday.
CrowdComms has accepted responsibility for the error. "It is likely that it affected a very small portion of attendees and we are working with the Conservative party to ensure any potentially affected attendees are notified," a CrowdComms spokesperson said in a statement.
"We apologise unreservedly to the Conservative party and their delegates."
The Conservatives have sent out a statement to delegates
The technical error which allowed this security breach was resolved within 30 minutes, according to Sunday's statement, and a report has been submitted by the party to the Information Commissioner's Office.
In that time BuzzFeed News was able to access the personal mobile phone numbers of cabinet ministers, MPs, journalists, and Tory party members within seconds.
Users of the app are also able to change the privacy settings of other attendees using only their email address, allowing anyone else using the app to search their name and then view their mobile number. At least two cabinet ministers have received prank calls on their personal mobiles from members of the public.
The Conservative party confirmed that email addresses, phone numbers, job titles and photos were made accessible by the breach.
"We want to assure you that no other information that you may have provided when registering to attend conference was involved," the statement said.
An MP who had their personal phone number tweeted out told BuzzFeed News: "CCHQ genuinely can’t be trusted to do anything. This is a serious security breach and no laughing matter. Whoever is responsible needs to go."
Labour MP Jon Trickett said: “How can we trust this Tory Government with our country's security when they can't even build a conference app that keeps the data of their members, MPs and others attending safe and secure?"
Journalist Dawn Foster reported being able to log in as Boris Johnson and then view his personal mobile number.
It's let me login as Boris Johnson, and just straight up given me all the details used for his registration
The security loophole was closed within 30 minutes.
A Conservative spokesman said: "The technical issue has been resolved and the app is now functioning securely. We are investigating the issue further and apologise for any concern caused."