When the Conservative Party Conference app was breached, not only were names, addresses and phone numbers made public, you just needed a publicly available MP email address to log in as them on the app, giving you the ability to update and change that person personal information and even photo. Not only was the data about senior members of the conservative party, but also high-ranking officials in the police and armed forces. Several of them have already received nuisance phone call, and for security reasons, many will now have to change their phone number.
The main question is; who is responsible? Is it the person who uploaded the data and set the permissions, or is it down to the app provider who allowed the app to run in this format with the permissions in these settings? We won’t know this for some time, and it will come down to a decision from the ICO. With the possibility of fines of up to £20 million or 4% of turnover, whichever is higher, is that a chance you are willing to take with your next event app?
One of the strong beliefs we have always had a Cube-i is that we take a hands-on approach to every event we run. We believe there are four questions that you should be asking yourselves about any event app you want to create.
What data are you planning on hosting in the app and what data are you trying to capture?
The security you need for your app comes from what you are storing. Don’t just concentrate on what data you want to share; also think about what data you are trying to collect. If you are running an event about how to create strategy and policies for taking the company forward, do you want that information available to the public or online?
Have you got permission to share the data that you have collected about your delegates?
If you want to share contact information for all the delegates, do you have permission to share all of that information? GDPR is very clear on this if you don’t have their permission you can’t share their data.
What happens if the data gets out into public hands or there is a full hack?
Depending upon what type of app you use, your data can be at risk. You have to ask yourself, what would happen in the worst-case scenario. Does that high-risk data need to be in the app? If it does then final question is the most important.
What app best suits the data you are hosting and how do you want to protect it?
There are two type of app available for an event, online, where all the information is stored in the world wide web and offline, where is it stored locally and only available at your event.
Our iPad system, iConnect has explicitly been created for storing all the information at your event via a local, private secure Wi-Fi network, the only way a hacker could obtain access to the system would be to be at the event which is a lot safer than an online app that could be accessed for anywhere in the world.
If you want to give your delegates access to the app information at all times, then you will need to store the app online, the question becomes how do you want to protect your app? In our Involved app, each event is protected by a 6 digital pin, meaning there are 19.7 billion possible codes, more than secure enough to stop someone guessing it, but that pin code is only as secure as the people you give it to. We don't allow personalised event codes as they are simply too easy to guess. We've come across numerous events where the event code is the same as the Twitter hashtag.
Cube-i's iConnect Personal app, which is a web app which can be customised to your needs. You can directly send the link out to your delegates and get them to download it, and you can add a password to the app to protect it should anyone find the link, we can even send the link directly to your delegates with a unique password for each person.
Cube-i are entirely GDPR compliant, all the data that we store is in an encrypted format and pseudonymized to ensure that even if there were a breach of the database, the data would still be safe.