The official conference app allowed users to access another individual's details if that person's email address was known.
Never mind the data breach, the #cpc18 app is the worst app I’ve ever encountered. The only result when you search for the time of the prime minister’s speech is “Nick Clegg.” pic.twitter.com/KBi1QcD2aR— Jessica Elgot (@jessicaelgot) September 30, 2018
Under the European Union's General Data Protection Regulation, the Tories could be fined as much as £2 million (A$3.6 million) for the leak.
One user, who accessed the account of Michael Gove, changed the profile picture to one of media baron Rupert Murdoch, whom Gove worked for in the past.
Oh dear, @BrandonLewis. Not such a “safe pair of hands” after all. This is embarrassing for @Theresa_May & the Coalition of Chaos!— James The Jackal ✋ (@James4Labour) September 29, 2018
“[@CONservatives’] fury as party faces huge fine for ‘disgraceful’ data breach” #cpc18 #cpc18shambles pic.twitter.com/4gtr5rItFX
"The error was rectified within 30 minutes. It is likely that it affected a very small proportion of attendees and we are working with the Conservative Party to ensure any potentially affected attendees are notified.
"We will also be reporting this to the ICO [Information Commissioner's Office] and reviewing and amending our Data Policies. We apologise unreservedly to the Conservative Party and their attendees."
Almost 24 hours since a data breach which exposed the private contact details of hundreds of people, the Conservatives finally send out an email about their conference app. No apology. Everything blamed on the firm they bought the app from. pic.twitter.com/WsTUIvjiXz— Adam Bienkov (@AdamBienkov) September 30, 2018
The ICO said in a statement: "We are aware of an incident involving a Conservative Party conference app and we will be making inquiries with the Conservative Party.
“Organisations have a legal duty to keep personal data safe and secure. Under the GDPR [General Data Protection Regulation] they must notify the ICO within 72 hours of becoming aware of a personal data breach, if it could pose a risk to people’s rights and freedoms.”