The voting intentions of millions of Britons in local authority wards across the country could have been at risk of misuse as a result of a glitch in the Labour party’s main phone-banking system, the Guardian understands.
Experts had warned that the sensitive data could potentially have been harvested via an automated program and used for targeted election interference by campaign groups or even hostile states.
More than half a million Labour party members have access to the Dialogue system, used by activists to make calls to the public for a variety of reasons, including to ascertain how they are planning to vote.
However, within just a few clicks, the glitch meant that they could also access sensitive information including postcodes, which – when combined with voting intentions – would potentially have allowed them to generate a list of millions of people across Britain.
The Guardian alerted Labour, which is believed to regularly monitor the programme to make sure it is not misused, to the potential breach, and the Dialogue system was taken down for 48 hours while additional security measures were put in place.
A Labour party spokesperson said: “As soon as this question was brought to our attention, the system was taken down for investigation. The party takes the security of all personal information for which it is responsible extremely seriously.”
The phone-banking system is believed to limit the pool of data in each local authority ward that individual members can access, which would also limit the scope of any nationwide list that they may be able to compile. However, it has been suggested that this restriction could be bypassed by the glitch.
Labour members’ identities are verified when they join the party and, additionally, they have to agree to strict data protection rules when using the telephone canvassing system, which is similar to those used by other political parties and does not divulge telephone numbers.
However, Prof Alan Woodward, an internationally renowned computer security expert at the University of Surrey, said: “Whilst this is unfortunate exposure of data, it is unlikely to be of real use to scammers unless combined with data harvested from elsewhere.
“The most sensitive part of the data exposed is voting intention. Knowing voting intentions is just the sort of data that could be used for targeted election interference. If we want our democracy kept safe, then that is just the sort of data we need to take care of appropriately.”
Caroline Carruthers, an author and data expert, added: “The majority of information available isn’t particularly worrying as it is readily and easily available elsewhere. What is of concern is the voting intention information.
“Within the GDPR [General Data Protection Regulation], there is a special category of data concerned with any personal data that is considered particularly sensitive, such as sexual orientation or ethnic origins. One of these special categories is political opinions.
“This type of data needs to be treated with extra care as it opens people up for discrimination or could open the risk to political interference.
after newsletter promotion
“Seeking to understand and record this information is relevant to the Labour party, so that in itself isn’t the concern – it is the lack of control over who has access to this information that should be considered carefully.”
The Guardian understands that the potential breach has been reported to the Information Commissioner’s Office (ICO), the data watchdog, which has the power to audit organisations’ data protection systems and to issue fines, although this is thought to be unlikely in this case.
An ICO spokesperson said: “All organisations using personal data must ensure they are doing so safely and securely and processing remains fair, lawful and transparent.
“In particular, those dealing with special category data – including political views – have an added responsibility to ensure this data is protected due to its sensitivity, and organisations must recognise this, whilst taking additional steps to address potential risks.”
Any organisation which becomes aware of a personal data breach has to notify the ICO within 72 hours, unless they conclude that it does not pose a risk to people’s rights and freedoms.
