Conservatives investigated over possible mass email data breach

Britain's Prime Minister Rishi Sunak delivers a speech on national security at the Policy Exchange, on May 13, 2024 in London, England. UK Prime Minister Rishi Sunak insisted on May 13 that his beleaguered Conservative party can win a general election despite polls consistently indicating the opposite, but refused to set a date for the vote. (Photo by Carl Court / POOL / AFP) (Photo by CARL COURT/POOL/AFP via Getty Images)
Prime minister Rishi Sunak delivered a speech on national security at the Policy Exchange in London. (AFP via Getty Images)

The Conservative Party has apologised for a data breach on the same day the prime minister insisted it is keeping Britain "safe".

On Monday, an email sent from Conservative Campaign Headquarters (CCHQ) was CCed with hundreds of people's email addresses without their permission, a potential breach of general data protection regulation (GDPR).

Journalist Rachel Cunliffe, associate political editor at the New Statesman, said she had received an email in which hundreds of email addresses were included.

She wrote on X, formerly Twitter: "Did anyone else just get this email, ostensibly from CCHQ, which has CCd rather then BCCd its recipients and thus shared hundreds of personal email addresses?"

She posted a screen grab of the email she received, which asked recipients to submit their registration for the Conservative Party conference later this year.

The grab contained grammar and spelling errors, as well as double spacing between some words, and a link for recipients to click.

In an article for the New Statesman, Cunliffe wrote that the email had been sent to 344 people, listing all of their email addresses.

A Conservative Party spokesman later told Yahoo News the email was genuine and had come from CCHQ, and was neither spam nor phishing.

He said: “We are aware of an issue relating to a conference registration email and are currently investigating the cause of this. We apologise to those affected and have self-reported to the Information Commissioner’s Office.”

The party is reported to have sent a follow-up email to recipients - which has not been seen by Yahoo - apologising for the error, saying: "Please accept our sincere apologies for this. We have taken steps to ensure that this issue does not happen again."

The Information Commissioner's Office, which regulates data protection, confirmed that it is investigating.

A spokesperson told Yahoo News UK: "The Conservative Party has made us aware of this incident and we are assessing the information provided.

Entrance to the Conservative Campaign Headquarters on Matthew Parker Street, Westminster, London, SW1H, U.K.
The Conservative Campaign Headquarters (CCHQ) in Westminster, London. (PA)

"Failure to use BCC correctly in emails is one of the top data breaches reported to us every year. Organisations should consider using alternatives to BCC such as bulk email services, mail merge, or secure data transfer services, so personal information is not shared with people by mistake."

It came as party leader and prime minister Rishi Sunak made a major speech about security and said the country would be less safe under Labour leader Sir Keir Starmer.

Sunak said: “I believe that we will keep this country safe and Keir Starmer’s actions demonstrate that he won’t be able to do that.”