New Times,
New Thinking.

CCHQ’s email breach is both a literal and metaphorical failure

If you can’t trust the Conservatives with your email address, why should you trust them with anything else?

By Rachel Cunliffe

This morning, as Rishi Sunak was preparing to give a speech all about the transformative power of technology and how he alone could keep the country safe in an increasingly dangerous world, I received an email from the Conservative Party.

This isn’t all that surprising. I’ve been on the Conservative Campaign Headquarters (CCHQ) mailing list since I first started working in journalism. It’s a useful way of staying in the loop about how the party is communicating with its members. It also wasn’t much of a surprise to get an email from this particular CCHQ-affiliated address: registration@conservatives.com. This is the address used to communicate information about the party conference. Indeed, the subject of this email was: “Conservative Party Conference 2024 – Partially Completed / Unsubmitted Registrations”. It was nudging me to submit the half-completed registration for this autumn’s conference I’d started a few weeks ago before getting distracted.

Good morning,

If you have abandoned or not submitted your registration for this years Conservative Party Conference please could you complete your registration at your earliest opportunity via this link.
https://conference.conservatives.com/reg/general/home.asp

Regards

Registration Team

So far, so good – although the fact the party is already angsty enough about conference attendance to start nudging people a full four months in advance does suggest an element of panic. But perhaps they’re just trying to be organised. Not organised enough to remember to put an apostrophe in “year’s”, but that could trip anyone up.

The email, though, wasn’t just sent to me. It was sent to 344 people. I know this, because they were all listed there in the “To” section, along with their email addresses.

Oops. Or, if you prefer, insert a different four-letter word. Because sharing email addresses like this isn’t just a breach of etiquette that suggests you’re trapped in some kind of Nineties chain-letter time loop. It’s a pretty major data violation.

According to the General Data Protection Regulation (GDPR) that came into force across Europe, including in the UK, in 2018, a personal email address or work address that includes personal information (like your name) counts as your personal data. Sharing that data without your express permission (except in very specific circumstances such as to comply with the law) is in breach of GDPR and is grounds for a complaint to the Information Commissioner’s Office (ICO). The ICO has the power to issue fines, and those fines can be pretty hefty. GDPR – a regulation drafted with Silicon Valley big beasts like Facebook and Google in mind – can levy fines of up to €20m or 4 per cent of an organisation’s total global turnover, whichever is higher.

Give a gift subscription to the New Statesman this Christmas from just £49

Before anyone gets excited, that’s obviously for the most egregious cases that involve more than just a failure to BCC. But this is one of the most common kinds of data breach the ICO fields reports about. And they can be serious. In December 2023, the Ministry of Defence was fined £350,000 for a data breach for including emails of people seeking relocation from Afghanistan after the Taliban takeover. And there have been various fines issued to organisations, such as Central YMCA (£7,500) and HIV Scotland (£10,000), that made the same error and disclosed personal emails from which one could make an assumption about the recipient’s HIV status.

CCHQ forgetting to use BCC might not be on the same level, but it’s still serious: I now know a fair bit more about the people on that list than just their email addresses. I know they’re considering going to the Conservative Party conference, for a start. And given that lots of them are personal addresses (gmail, hotmail and the like) rather than company ones, I can make a guess at their political affiliation. Some of them might not mind all that much – they are considering going to an event where they could easily be caught in shot by one of the hundreds of cameras about, so it’s not like this is a secret gathering. But they would also have had the reasonable expectation that registering for conference was a private act, and not something the party would just decide to broadcast to 300 strangers.

Anyway, I know a number of people wanted to know if the email was genuine after I tweeted about it, so I got in touch with CCHQ. Five hours after the initial email went out, I received a response:

“We are aware of an issue relating to a conference registration email and are currently investigating the cause of this.

“We apologise to those affected and have self-reported to the Information Commissioner’s Office.”

Screw-ups happen in any organisation, but that isn’t an excuse, particularly when it’s the party of government screwing up. Competence matters. Complying with the law matters. This is such a basic error, so easily avoided, it inevitably sets alarm bells ringing. If CCHQ doesn’t have the staff and training procedures to prevent a classic email-sharing error, what does that say about their resilience as a whole? How are their cybersecurity defences? What else is getting missed?

In short, it’s not a great message to send while the PM is out making his pitch to the nation by asking “who do you trust to keep you safe?” After all, if you can’t trust the Conservatives with your email address, why should you trust them with anything else?

[See also: What Westminster isn’t telling you about our GDP figures]

Content from our partners
Building Britain’s water security
How to solve the teaching crisis
Pitching in to support grassroots football

Topics in this article : , ,