Donation details “leak” from the Labour Party website

Graham Cluley

Donation details "leak" from the Labour website

Donation details "leak" from the Labour website

You may have missed it amongst the many news reports of the denial-of-service attacks troubling Labour, but that wasn’t the only reason the UK political party made the cybersecurity headlines this week.

In fact, less than 12 hours before Labour went public about the “sophisticated” (ahem…) attack which knocked its website offline and allegedly impacted campaigning for the upcoming General Election, The Times reported on a potential data breach involving the party.

According to The Times, some donors’ names, and time and size of their donation to the party were easily accessible:

Labour published the names of people who have donated to the party through its website thanks to an apparent security flaw.

In most cases the data included donors’ first names, the amount they contributed and the time they made the donation. Some full names were also published.

The information could be accessed using any web browser and without security checks.

That doesn’t sound good, and BBC News shared some more details:

The Times has revealed that Labour exposed the names of people who had donated money via an online tool.

The details could be found via an RSS web feed generated by the site’s code, which most browsers provide a way to inspect.

In most cases the information was limited to the donors’ first names and the sums given.

But because some people had mistakenly added their surname to the first name input box, this too was disclosed.

Labour denies this represented a security flaw or that a reportable data breach had occurred. It also believes that only a small number of full names were exposed.

However, it made changes to shut down the RSS feed last night.

You, like me, might scratch your head and wonder why the Labour website would ever have wanted to put the details of donations into an RSS feed, accessible to the world.

But then I realised – people willingly do this all the time. If you go to any of the popular fundraising sites you’ll find long lists of people, some of whom give both their names, sharing details of how much money they have given to a particular cause.

Here’s a redacted screenshot I just took on Justgiving, for instance:

Donations

It’s purely guesswork on my part in the absence of any firm information, but is it possible that the Labour Party website was creating an RSS feed to support its fund-raising efforts by displaying an automatically updated list of folks who had donated money?

I don’t believe that there’s anything wrong with publishing the details of people who have donated relatively small amounts of cash via an online tool *if* they have given you permission to publish their details – but that’s a detail which both BBC News and The Times fail to tackle.

My hunch would be that the fact that this data “leaked” via an RSS feed suggests that it might have been more of a boo-boo than a serious security problem, and even then only if those donating didn’t have the option of declining publicity.

But what unfortunate timing for Labour to have both their attention-grabbing DDoS attack dominate the headlines on the same day that there was a potential data leak.

For more discussion about the cybersecurity issues that have plagued the Labour Party this week, listen to this edition of the “Smashing Security” podcast:

Smashing Security #154: A buttock of biometrics'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.



Stay informed!

Join thousands of others by signing-up for the free “GCHQ” newsletter, containing the latest news and tips from security expert Graham Cluley.

Name:

Email:

Yes, I would like to subscribe to email updates from Graham Cluley. I know it’s easy to unsubscribe if I ever change my mind.