You may have missed it amongst the many news reports of the denial-of-service attacks troubling Labour, but that wasn’t the only reason the UK political party made the cybersecurity headlines this week.
In fact, less than 12 hours before Labour went public about the “sophisticated” (ahem…) attack which knocked its website offline and allegedly impacted campaigning for the upcoming General Election, The Times reported on a potential data breach involving the party.
According to The Times, some donors’ names, and time and size of their donation to the party were easily accessible:
Labour published the names of people who have donated to the party through its website thanks to an apparent security flaw.
In most cases the data included donors’ first names, the amount they contributed and the time they made the donation. Some full names were also published.
The information could be accessed using any web browser and without security checks.
That doesn’t sound good, and BBC News shared some more details:
The Times has revealed that Labour exposed the names of people who had donated money via an online tool.
The details could be found via an RSS web feed generated by the site’s code, which most browsers provide a way to inspect.
In most cases the information was limited to the donors’ first names and the sums given.
But because some people had mistakenly added their surname to the first name input box, this too was disclosed.
Labour denies this represented a security flaw or that a reportable data breach had occurred. It also believes that only a small number of full names were exposed.
However, it made changes to shut down the RSS feed last night.
You, like me, might scratch your head and wonder why the Labour website would ever have wanted to put the details of donations into an RSS feed, accessible to the world.
But then I realised – people willingly do this all the time. If you go to any of the popular fundraising sites you’ll find long lists of people, some of whom give both their names, sharing details of how much money they have given to a particular cause.
Here’s a redacted screenshot I just took on Justgiving, for instance:
It’s purely guesswork on my part in the absence of any firm information, but is it possible that the Labour Party website was creating an RSS feed to support its fund-raising efforts by displaying an automatically updated list of folks who had donated money?
I don’t believe that there’s anything wrong with publishing the details of people who have donated relatively small amounts of cash via an online tool *if* they have given you permission to publish their details – but that’s a detail which both BBC News and The Times fail to tackle.
My hunch would be that the fact that this data “leaked” via an RSS feed suggests that it might have been more of a boo-boo than a serious security problem, and even then only if those donating didn’t have the option of declining publicity.
But what unfortunate timing for Labour to have both their attention-grabbing DDoS attack dominate the headlines on the same day that there was a potential data leak.
For more discussion about the cybersecurity issues that have plagued the Labour Party this week, listen to this edition of the “Smashing Security” podcast: