The Conservative Conference app allowed anyone to see the mobile numbers of attendees and to change their photos and details.
By Nick Stylianou, technology producer and Alix Culbertson, news reporter
The personal details of ministers and other MPs could be accessed by anyone after a major security flaw in the Conservative Party’s official conference app.
The mobile phone numbers of Chancellor Philip Hammond and former foreign secretary Boris Johnson were among those which could be accessed without a password.
Several ministers, including those with top-ranking security clearance, were reported to have received nuisance calls from the public after the breach.
Anybody could type in an attendee’s email address – those of MPs are available on parliament’s website – to access their profile.
Sky News has found that it was also possible to change the photos and details of cabinet members, MPs, journalists and local councillors attending conference in Birmingham.
Environment secretary Michael Gove’s picture was reportedly changed to one of Rupert Murdoch, and his email to a fictional Sun newspaper address.
Sky News political editor Faisal Islam was among those who could easily be searched, and his details made available.
It raises questions over whether the app breaches data protection policy.
The security flaw, which happened as Tory Party members arrived at conference for its first day, has now been fixed.
Events technology company Crowd Comms created the app, with the terms and conditions directing users to the firm’s offices in Australia.
A Conservative Party spokesman said: “The technical issue has been resolved and the app is now functioning securely. We are investigating the issue further and apologise for any concern caused.”
Theresa May ignored questions from Sky News about the security blunder as she arrived at conference.
Sky News’ technology correspondent, Rowland Manthorpe, said under new GDPR rules this kind of breach could result in a fine of £20m or 4% of turnover, depending on their response.
He said: “A hacker can do an awful lot with just an email address and a phone number.
“I’ve seen screenshots from the app of a squadron leader from the RAF and somebody from the Met Police – they all need to change their phone numbers now.”
Jon Craig, Sky News’ chief political correspondent, at conference, said: “We haven’t even started the conference yet and they’ve had a blunder.
“Last year, at the end of conference, the letters fell down on the set behind the prime minister as she spoke.
“People are just arriving, the Tory party chairman only arrived in the past hour – he seemed quite confident there wouldn’t be any blunders.
“But just minutes after I finished speaking to him, this happened.
“They seem to have dealt with it pretty quickly, but potentially very serious indeed.
“We’re surrounded by enormous security, bag checks, you can’t bring a bottle of water in, there are thousands of police and here we have a blunder on the Tory Party’s own app.”
Jon Trickett, Labour’s shadow minister for the Cabinet Office, said: “How can we trust this Tory Government with our country’s security when they can’t even build a conference app that keeps the data of their members, MPs and others attending safe and secure?
“The Conservative Party should roll out some basic computer security training to get their house in order.”