EXCL Liberal Democrats left voters' personal information exposed in data breach blunder

Posted On: 
7th June 2018

The Liberal Democrats left voters' personal details exposed online in an astonishing data breach, PoliticsHome can reveal.

Voters' personal data was provided alongside a script for Lib Dem phone canvassing on an online database.
Credit: 
PA Images

The party said it had launched an "urgent investigation" after the names, addresses and other information about members of the public in Lewisham East, south east London, were made easily available.

Dates of birth, mobile and home telephone numbers and details of an individual’s nearest polling station were provided to party activists alongside a phone script ahead of next week's parliamentary by-election in the constituency.

MPs hail major U-turn on NHS immigration data-sharing scheme

Bar Council: Rush job on data laws undermines parliamentary scrutiny

Lord Tyler: The impact of data misuse on the Brexit result must be uncovered

Government forced to defend links with scandal-hit political data firm

But the data was inadvertently left accessible to the general public due to a security foul-up exposed by this website.

Information gathered through the party's canvassing operations was also made available, with voters identified by tags indicating their political leanings such as “Yellow Labour” and “Weak Lib Dem”. In some cases, this information was available for entire families.

In a statement, a Lib Dem spokesperson said: “As soon as we were made aware of the issue we immediately took action and closed access. We are urgently investigating how this happened and have taken steps to ensure it will not again.”

The data should have been secured behind a password protected login page which was only accessible by registered Liberal Democrat activists, but a blunder saw a direct link being shared on a Facebook page used to co-ordinate the party's campaigning activities.

It meant that anyone with the link could access the data without verifying their identity.

The loophole was closed once the party was made aware of the breach but it was possible that the data was openly accessible for several days.

The blunder comes just days after the introduction of General Data Protection Regulation laws aimed at tightening up the rules on the use of personal data by organisations.

When asked if the party would be reporting the breach to the Information Commissioner, the spokesperson added: "If our internal investigation finds grounds for referral then we will do so but we have to wait the outcome first."