EXCL Liberal Democrats left voters' personal information exposed in data breach blunder

The Liberal Democrats left voters' personal details exposed online in an astonishing data breach, PoliticsHome can reveal.



The party said it had launched an "urgent investigation" after the names, addresses and other information about members of the public in Lewisham East, south east London, were made easily available.

Dates of birth, mobile and home telephone numbers and details of an individual’s nearest polling station were provided to party activists alongside a phone script ahead of next week's parliamentary by-election in the constituency.

But the data was inadvertently left accessible to the general public due to a security foul-up exposed by this website.

Information gathered through the party's canvassing operations was also made available, with voters identified by tags indicating their political leanings such as “Yellow Labour” and “Weak Lib Dem”. In some cases, this information was available for entire families.

Here is the Lib Dems phone bank script for Lewisham East. I was able to access it alongside large amounts of voter's personal data in what amounts to a fairly significant data breach. pic.twitter.com/MqQdWxPTfe — John Johnston (@johnjohnstonmi) 7 June 2018

In a statement, a Lib Dem spokesperson said: “As soon as we were made aware of the issue we immediately took action and closed access. We are urgently investigating how this happened and have taken steps to ensure it will not again.”

The data should have been secured behind a password protected login page which was only accessible by registered Liberal Democrat activists, but a blunder saw a direct link being shared on a Facebook page used to co-ordinate the party's campaigning activities.

It meant that anyone with the link could access the data without verifying their identity.

The loophole was closed once the party was made aware of the breach but it was possible that the data was openly accessible for several days.

The blunder comes just days after the introduction of General Data Protection Regulation laws aimed at tightening up the rules on the use of personal data by organisations.

When asked if the party would be reporting the breach to the Information Commissioner, the spokesperson added: "If our internal investigation finds grounds for referral then we will do so but we have to wait the outcome first."