[ad_1]
A mobile conference application developed for the UK Conservative Party disclosed the private details of people who registered at party conferences, including details of party members and representatives of the British government.
The leak was discovered Saturday afternoon, Sept. 29 by Guardian columnist Dawn Foster, who published his findings on Twitter.
Foster discovered that anyone wishing to attend a videoconference using the Conservative Party's mobile app would only have to register using an email address.
The application did not use any type of authentication mechanism, such as passwords or one-time codes sent by email. A user only had to enter an email address in the login field of the application to access a profile page.
Also: GDPR: What has really changed so far?
It did not take long for Foster's revelations for Twitter users to realize that they had only to guess at the e-mail address of a Conservative Party member for access his account.
Some party members have used official e-mail addresses issued by the party or government to sign up for the application, such as Michael Gove (UK Secretary of State for the Environment, Food and Rural Affairs) and Boris Johnson (Secretary of State for Foreign Affairs and Personalities of the Conservative Party.
Criminals abused the defective login system of the application to share online personal information of the user or modify the information of his profile.
For example, one user accessed Boris Johnson's account and changed the profile picture to a pornographic one, while another changed Michael Gove's profile picture on a photo of Rupert Murdoch, his former employer.
Some of the phone numbers and e-mail addresses of well-known British MPs were shared on Twitter earlier in the day. Some received calls and stuffing messages.
In a statement posted on its website, the Office of the Information Commissioner (ICO), the United Kingdom's privacy watchdog, said it was aware of the incident and that He would "investigate".
"Organizations have the legal obligation to preserve the security of their personal data.Under the GDPR, they must notify the ICO 72 hours after being informed of a personal data breach. if this could pose a risk to the rights and freedoms of people, "said the OIC. .
Access to the app has been temporarily halted to avoid abuse after Foster's tweets, but the app is now back online, ready for a Sunday conference, according to a tweet from Brandon Lewis, Conservative Party President British. .
