The Tory Conference app has been hacked and people have got hold of Boris Johnson’s mobile number, prank called the Secretary of State for Defence Gavin Williamson, changed Michael Gove’s profile pic to Rupert Murdoch… well you get the idea. When Guido says “hacked” he actually means you just had to enter Boris’s email address and you were logged in as him. Which is exactly what Guardian columnist Dawn Foster did when she logged on as Boris Johnson. She then – illegally in a breach of data protection laws – tweeted out the exploit to all and sundry leading to a massive data breach being opened for almost an hour before CCHQ managed to shut down all the personalisation functions. The app store says the app was heavily downloaded today…
Guido is a bit late to reporting this because for the last 3 hours he has being trying to discover what personal data of his is out in the public domain. Under the GDPR law it is an obligation for organisations to inform individuals without undue delay. They must also
- ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
- keep a record of any personal data breaches, regardless of whether you are required to notify.
Guido contacted the CCHQ press office trying to find out what was going on after he saw his conference pass photo was out there on the internet and he got a prank text message. At the time of going to pixel attendees have not even been informed of the data breach unless they logged in before the personalisation functionality was removed. If like Guido you had no idea about the existence of the app never mind that your data was on it, you will not have been informed. Journalists, MPs, ministers, diplomats and regular delegates who have been compromised will not know unless they are told by CCHQ – as required by law. So that warning needs to go out, now.