UK Government’s conference gaffe – no harm done?

It may have been a two-hour snarl-up, but the implications of the Conservative's app blunder go much deeper.
3 October 2018

Conservative MP Priti Patel, Stanley and Rachel Johnson look at Stanley’s phone at the British Conservative Party Party’s conference. Source: AFP PHOTO / Ben STANSALL

The issues surrounding cybersecurity and the recent flaw discovered in the UK Conservative party’s app created for its annual conference brings to light several security issues which are of concern to preventing data breaches.

In case the news passed you by, a mobile app that was written specifically for the British Conservative party’s annual conference was found to be accessible by entering users’ email addresses alone, with no requirement for a password or other identity verification.

On discovering this, UK Guardian journalist Dawn Foster found that by second-guessing prominent conservative party members’ email addresses (many used their publicly available address), she was able to masquerade as several leading figures in the party, including leadership wannabe Boris Johnson.

The security breach was only known to a few journalists after it was discovered, and the flaw was closed within two hours of its discovery. However, in that time, Foster and others were able to receive messages intended for official attendees, and learn the private cell phone numbers of many leading lights in the Conservative party.

In any situation in which data security is paramount, the human factor plays a significant role in opening up networks and databases to those with malicious intent.

Many companies are committed to training staff in good online practice (so-called cyber hygiene), and there is a new wave of cyber security solutions designed to protect the new generation endpoints, specifically mobile phones and tablets. But despite increasingly complex technological barriers to cyber incursions, human error still leads to numerous leaks and incidents.

What is particularly alarming about the incident at the Conservative Party’s annual conference is not the seemingly obvious flaw of the app not requiring a password, nor the fact that the ruling Conservative party should be setting a cybersecurity example for others to follow, but rather that the leak of a limited dataset had the potential to be so much worse than it was. The reason for this is one of database access practices.

One might assume that the list of attendees at the conference was drawn from Conservative Party records held on a central database.

Once access to a limited set of data was established (sources say that only phone number and name were ever revealed) any other fields or tables in the database schema would have been at a much higher potential risk.

While a selective duplication of tables and fields into a new database instance may have been a sensible precaution in this latest instance — thereby separating sensitive data from a discreet subset – this type of separation is not always practical.

Security measures in relational or non-relational databases are issues for highly technically-focused IT security teams, and good practice in these areas need to go hand-in-hand with more “touchy-feely” human-based activities, such as educating staff and users about good online practices.

“How can we trust this Tory government with our country’s security when they can’t even build a conference app that keeps the data of their members, MPs, and others attending safe and secure?”, said John Trickett, the opposition Labour Party’s Shadow Cabinet Office minister. “The Conservative party should roll out some basic computer security training to get their house in order.”