Conservatives investigated over possible mass email data breach
The Conservative Party has apologised for a data breach on the same day the prime minister insisted it is keeping Britain "safe".
On Monday, an email sent from Conservative Campaign Headquarters (CCHQ) was CCed with hundreds of people's email addresses without their permission, a potential breach of general data protection regulation (GDPR).
Journalist Rachel Cunliffe, associate political editor at the New Statesman, said she had received an email in which hundreds of email addresses were included.
She wrote on X, formerly Twitter: "Did anyone else just get this email, ostensibly from CCHQ, which has CCd rather then BCCd its recipients and thus shared hundreds of personal email addresses?"
She posted a screen grab of the email she received, which asked recipients to submit their registration for the Conservative Party conference later this year.
Did anyone else just get this email, ostensibly from CCHQ, which has CCd rather then BCCd its recipients and thus shared hundreds of personal email addresses? pic.twitter.com/jemB1JSchK
— Rachel Cunliffe (@RMCunliffe) May 13, 2024
The grab contained grammar and spelling errors, as well as double spacing between some words, and a link for recipients to click.
In an article for the New Statesman, Cunliffe wrote that the email had been sent to 344 people, listing all of their email addresses.
A Conservative Party spokesman later told Yahoo News the email was genuine and had come from CCHQ, and was neither spam nor phishing.
He said: “We are aware of an issue relating to a conference registration email and are currently investigating the cause of this. We apologise to those affected and have self-reported to the Information Commissioner’s Office.”
The party is reported to have sent a follow-up email to recipients - which has not been seen by Yahoo - apologising for the error, saying: "Please accept our sincere apologies for this. We have taken steps to ensure that this issue does not happen again."
Conservative Party has referred itself to the Information Commissioner after sharing hundreds of personal email addresses, including a number of MP addresses, when it sent out a conference reminder earlier today pic.twitter.com/474IOOBUEk
— Rachael Burford (@RachaelBurford) May 13, 2024
The Information Commissioner's Office, which regulates data protection, confirmed that it is investigating.
A spokesperson told Yahoo News UK: "The Conservative Party has made us aware of this incident and we are assessing the information provided.
"Failure to use BCC correctly in emails is one of the top data breaches reported to us every year. Organisations should consider using alternatives to BCC such as bulk email services, mail merge, or secure data transfer services, so personal information is not shared with people by mistake."
It came as party leader and prime minister Rishi Sunak made a major speech about security and said the country would be less safe under Labour leader Sir Keir Starmer.
Sunak said: “I believe that we will keep this country safe and Keir Starmer’s actions demonstrate that he won’t be able to do that.”