Cyber security researchers identified a flaw on the Labour Party website which published full names and donation amounts of some of its backers – the same day it was hit by a DDoS attack.
The party website made headlines when it was taken offline following a cyber attack that is said to have originated from computers in Russia and Brazil, but which has not been linked to any state activity. Amid this hoo-ha, however, many failed to notice the data flaw which saw donors’ personal data published on the website for all to see.
The names of its donors – and the amount they’d pledged – had been stored in an RSS feed and hosted on the donation platform. This meant anyone was able to read it, with any web browser and without login credentials.
Whilst the RSS feed was set up to publish each donor’s first name and amount, some had mistakenly written their full name into the field, meaning this is what was published.
Labour denied that any security flaw or reportable data breach had occurred (as the setup was similar to those on JustGiving pages, for example, which offer a ticker of recent donors and the amount they pledged), though the party did take the RSS feed offline shortly after the issue was raised.
Despite Labour’s staunch defence, there were concerns around whether these donors were aware their names and amounts would be published online, and whether they had agreed for it to happen.
Cyber security blogger Graham Cluley noted that the fact this information came from an RSS feed suggests it was “more of a boo-boo than a serious security problem”, but also that more serious questions may need to be answered if those donating didn’t have the option of declining publicity. The Information Commissioner’s Office told the BBC that, whilst it wouldn’t comment on individual cases, it would closely monitor how political parties use personal data in the run up to this election, and will ensure “all parties and campaigns are aware of their responsibilities.”
