October 1, 2018

A Conservative Party GDPR fine is unlikely – but the political fallout could be significant

By Lucy Ingham

This weekend news broke of an app breach at the Conservative Party conference, prompting predictions of an embarrassing Conservative Party GDPR fine. Due to a flaw in the app, any of its users could log in as anyone else, revealing key personal details in the process.

Initial headlines suggested that the Tory party would face a punishing fine for the gaffe – up to £2m if the full force of GDPR was applied. But with the breach being minor compared to high-profile incidents such as the Facebook breach, and app makers Crowd Comms taking quick action to correct the issue, it is considered highly unlikely that this will happen.

“It is very unlikely that the Conservative Party will be fined for this major security blunder and like all previous errors they will not accept any responsibility nor accountability for lack of security, which we will likely see being passed on to the Australian firm Crowd Comms which developed the app,” said Joseph Carson, chief security scientist at Thycotic.

Could the ICO bow to political pressure over a Conservative Party GDPR fine?

The ICO, the arm of the government responsible for issuing GDPR fines, will ultimately make the decision about whether both the Conservative Party and Crowd Comms deserve fines. And while both are potentially liable, this is considered unlikely.

“Both the Conservative Party and the Australian firm Crowd Comms are liable for the failure in ensuring adequate security was applied under the EU GDPR regulation,” said Carson.

“However, the sensitivity of the data that was disclosed was limited as well as the small scale of the data breach will likely see this particular incident not being fined under EU GDPR.”

On the face of it, this will be a decision made based entirely on the severity of the incidents and the steps taken to prevent it. However, with GDPR being so new, incidents at this stage play a key role in setting long-term precedents, and for this reason the Conservatives may seem themselves slapped with a relatively minor fine.

“If any fine is placed on the Conservative Party it would be very low, likely around the 50k mark or so just to set a foundation on future security blunders,” said Carson.

However, there is a political concern.

If the ICO opts not to fine the Conservatives, it risks being seen as soft on the party currently in charge. This would be a significant problem both for the Government and the ICO, harming the credibility of the organisation at this early stage – even though the choice not to issue a fine may be entirely justified.

In order to avoid such a situation, the ICO may opt to be more punishing than it would otherwise be in order to avoid accusations of favouritism.

Red-faced conservatives: App flaw a gift to the opposition

Even if the ICO opts to issue no fine at all, the incident is deeply embarrassing to the government – and an absolute gift to the opposition.

This is in part because the security flaw was so basic that it required no IT expertise at all to take advantage of.

“The security blunder is very simple: that a very important part of the mobile app which allows you to check your registration details did not have security at all other than entering an email address. So you could pretend to be anyone who had already registered and view the personal data that they had provided during registration,” said Carson.

“This shows that the company behind developing and designing the app did not prioritise security as part of the development process and this is a failure on both the Conservative Party and the Australian firm Crowd Comms parts.”

Such a blunder comes as the UK government seeks to position the country as a leader in technology, touting the industry as a valuable part of the post-Brexit strategy, despite a skills shortage warning.

Cybersecurity has formed a key part of this, with the establishment of the National Cyber Security Centre in 2016 and an investment of $1.9bn in the sector to grow the country’s defence and might in this area.

For Tories, the party behind these initiatives, to appear so blind to good cybersecurity with the Conservative Party Conference app breach is deeply embarrassing.

Any opposition worth its salt will make use of this gaffe to criticise future government technology policy in the future – potentially undermining Brexit-related efforts in this area. And for a party fighting to maintain an increasingly uncertain course, this is a far greater risk that any Conservative Party GDPR fine may be.

Topics in this article: