On September 30, 2018, during the UK Conservative Party’s annual conference in Birmingham, a serious security vulnerability in the official conference mobile application was publicly exposed. The app had been developed by CrowdComms, an Australian company specialising in mobile event applications for conferences and trade shows.

The flaw was a fundamental authentication failure: the application allowed any user to log in as any other conference attendee using only that person’s email address — no password was required. This meant that any attendee who possessed another delegate’s email address could access the victim’s full profile as stored in the conference system.

Guardian journalist Dawn Foster discovered and publicly demonstrated the vulnerability during the conference, posting a screenshot on social media showing the private details of former Foreign Secretary Boris Johnson. The app exposed names, email addresses, personal mobile phone numbers, job titles, and profile photos. Because the app was used by a politically sensitive audience, the exposed data included the private mobile numbers of hundreds of Conservative MPs, government ministers, senior party officials, and accredited journalists.

The security issue was reported and resolved within approximately 30 minutes. The Conservative Party submitted a report to the Information Commissioner’s Office and issued an apology for any concern caused. Party officials stated they had been “let down” by the CrowdComms platform.

The incident attracted significant media attention because of the political sensitivity of those affected. Boris Johnson’s personal mobile number had already been publicly circulated for some years due to a separate prior incident, but the exposure of hundreds of other political figures’ private contact details raised concerns about the potential for harassment, social engineering, and targeted influence operations against political targets.

The breach illustrated a recurring risk in the events technology sector: conference apps routinely aggregate the private contact details of high-profile attendees and are frequently built and deployed under tight timelines, with insufficient security review. The lack of even basic authentication — requiring a password alongside an email address — represented a elementary security failure by the vendor.