Monday 10th December 2018

Two British political parties have announced suspected data breaches

The suspected data breaches are believed to have affected members of the Welsh Conservatives and the Liberal Democrats. In both instances it's unclear how many users have been affected.
Jason Smith
by on 3rd July 2018

Two British political parties, The Liberal Democrats and the Welsh Conservatives, have announced suspected data breaches.

The data breach that may have affected members of the Welsh Conservative party involves an anonymous email that was sent soliciting members’ support for an “open and honest debate” about the future of its party.

It was sent on the 29th June and following the resignation of leader Andrew RT Davies. It expressed concern that a new candidate, Paul Davies, could accede to leadership of the party without input from the membership.

The problem is it’s unclear where the email originated from. Moreover, the email contained a link to a petition that was subsequently removed or deleted. The Welsh Conservative party has confirmed it did not send the email.

According to ITV, the Chairman of the Welsh Conservative Party, Byron Davies, subsequently sent an email to members outlining arrangements for the new leadership election. In the email, and in reference to the earlier anonymous email, he stated:

“At the same time as we were meeting, and highlighting the importance of engagement with you the members, some of you may have received an unauthorised and anonymous email purporting to have come from our party. It did not, and should be ignored. We apologise for what could be a data breach and assure you we are taking it incredibly seriously.”

The UK’s data protection authority, the Information Commissioner’s Office (ICO), has confirmed to ITV it’s investigating the suspected breach.

Meanwhile, The Liberal Democrats have also confirmed a data breach associated with US-based data collection tool Typeform which, as we reported last week, identified a data breach on 27th June that gave a third-party access to its backup files.

Typeform claims that only data collected before the 3rd May was affected.

In an announcement on its website, the Liberal Democrats state that Typeform has informed them that “data from Liberal Democrat members was among the data affected” and all affected members will receive an email informing them of the breach.

The data accessed by the third-party includes names and email addressed and the Liberal Democrats have told their members to “watch out for potential phishing scams or spam emails.” The leaked data also contained information about members’ political opinions.

The political party also states it will be “re-evaluating its relationship with [Typeform] in light of this incident” and that it has reported the incident to the Information Commissioner’s Office.

Last month we also reported on the ICO’s concerns about the “democratic engagement principle” in the Data Protection Act 2018, which many British MPs appear to be utilizing as a basis to collect users’ data.