Conservative conference app: Brandon Lewis unable to confirm extent of data breach which leaked MP's mobile numbers

The Conservative Party chairman has been unable to reveal the true extent of a major data breach which exposed cabinet ministers’ private details on the party’s official conference app.

Brandon Lewis said the party was treating the system flaw as a “serious matter” which affected a “limited number” of people, but he refused to give further details after repeated questions about how many people had been affected.

The blunder could cost the Tories up to £2m in fines and raises serious security questions, as high-ranking government ministers such as the defence secretary Gavin Williamson were reportedly affected.

It also risked overshadowing the first day of the Conservative conference in Birmingham, where Theresa May is already facing rampant Brexit infighting and questions over her leadership.

Mr Lewis told Sky News’s Ridge on Sunday: “Any breach of data is a serious matter, that’s why we are taking it seriously. We are investigating, we have already contacted the Information Commissioner and we will be putting in a fuller report to them.“

He went on: “This will affect people where somebody has guessed or knew somebody’s email address and was able to therefore log in as them.

“So it will be a limited number of our delegates here but we are contacting the delegates at conference to explain to them exactly what has happened and what they can do about that.”

Asked who was responsible, he said: “I can’t get into the details at the moment in terms of the numbers because we are doing the investigation at the moment, working with the company who supplied the app, who supply companies like Barclays and Nissan and Ebay for conferences and things around the world.”

He said the problem had been fixed within half an hour of uncovering the security issue and the app was functioning securely.

Pressed on whether the breach could ramp up abuse to politicians, he said: “We are doing a full investigation to see what exactly and who exactly was able be accessed in this way.”

Mr Lewis also sidestepped questions about whether he would resign over the debacle and said his priority was ensuring the problem is addressed.

The security breach was discovered on Saturday when users noticed they could access private data for any attendees, simply by logging into the app using an email address.

Some users accessed Boris Johnson’s profile, which provided them with the ex-foreign secretary’s phone number, while others reportedly posted pornography as his profile picture.

An ICO spokesperson said: “We are aware of an incident involving a Conservative Party conference app and we will be making enquiries with the Conservative Party.

“Organisations have a legal duty to keep personal data safe and secure. Under the GDPR they must notify the ICO within 72 hours of becoming aware of a personal data breach, if it could pose a risk to people’s rights and freedoms.”