Online applications for some UK
visas have been suspended amid claims a security loophole left personal data
vulnerable to identity thieves.
Channel 4 News said IT systems covering India,
Russia and Nigeria
were affected and said up to 50,000 Indian travellers could have been exposed
to having personal details stolen.
Home addresses, dates of birth and passport numbers were all
said to be accessible for more than a year creating what the Tories dubbed a
“treasure trove for international terrorists”.
Data privacy watchdog the Information Commissioner demanded
a “full explanation” from the Foreign Office over the apparent breach
– which the programme said was first pointed out a year ago.
“The Information Commissioner's Office takes security
breaches very seriously. We will expect a full explanation from the Foreign
& Commonwealth Office to establish what and how this incident has
happened,” it told the programme.
The Foreign Office told Channel 4 the IT system was not
connected to the Government's own secure information system which is used to
process the applications.
Problems with the site were first reported to the firm and
the High Commissioner by Indian visa applicant Sanjib Mitra in April 2006 when
he found he could access other people's personal data.
Channel 4 was alerted after he discovered last week that it
was still possible, it said.
Shadow immigration minister Damian Green said: “It's
appalling and almost the most appalling thing is that it's not at all
“This happens again and again and this probably is the
most serious because this will have been a treasure trove for international
terrorists, precisely the sort of people the Government keeps telling us its
new electronic systems and biometric visas and so on will keep out.”
There is such a striking similarity to the MTAS system
fiasco with this and other database hacks, that suspicions must be raised,
possibly to collusion in design and build, and bearing in mind that India,
Russia and Nigeria are top of the list in the global ID theft world, whether
there is any truth to the rumours that government is being deliberate in
releasing PII (Personally Identifiable Information) via the Internet to justify ID
The questions that immediately need answering are:
built the system.
tested the system.
the system successfully security tested, including Penn testing.
signed it off and put it into service.
there any connection with MTAS (personnel, management, designers etc).
IDS been informed, and what instructions have they been given.
there been any checks to see who is in the UK
with Visa’s issued during the period.
they checked with the authorities in India
to see whether there is any duplication. i.e. person in the UK,
but also in India, Russia and Nigeria?
was initially informed, and what did they do about it.
is ultimately responsible for the systems.
the first reporting, who was responsible for ensuring the loophole was
the system was accessible for a year, how many previous years applications
were visible during that period.
many applications were successful from all data stored on that system, not
just for the year that it was visible.
is the data sent to the Government's own secure information system which
is used to process the applications if it is not connected as stated by
the Foreign Office undertaken a risk analysis and has this been published.
in the Home Office is responsible for ensuring that no duplicate persons
are in the UK.
If ever there was a case to end the ID cards programme, this
is coming pretty damn close to it. This time government heads must roll, or will ministers try to blame bloggers as Hewitt has done with MTAS.
When documents are issued overseas legitimately, UK ID cards
would protect us how?
These databases are ENABLERS OF ID FRAUD.
Say No to ID cards, Say No to the Database state.