Back in May, I broke the story on DaniWeb in this very blog of how the online application facility for UK visas was not only insecure, but that it had potentially been so for years. The company concerned, VFS Global, which operated the visa online application form filing service on behalf of the UK government in India and other countries, had such Mickey Mouse security in place that anyone could easily get hold of the full application form information of anyone who had made such an application. That's anyone as is terrorist, identity thief, innocent applicant stumbling across the information or even an investigative journalist. The story quickly gathered momentum, and featured as the lead on Channel 4 News in the UK after I brought it to their attention and aided with the investigation.
Today, the UK Information Commissioner's Office (ICO) has found the Foreign and Commonwealth Office (FCO) in breach of the Data Protection Act following an investigation into that application facility security fiasco.
This follows on from an independent report, instigated by the UK Foreign Secretary at the time, and conducted by Linda Costelloe Baker in June which concluded that the VFS operated online application system should not be re-opened. Indeed, it has remained closed ever since I first brought the security problem to light back in May.
I alerted the ICO the very first day that the security breach became clear, following my own 'testing' of the database and discovery that it could indeed be easily hacked to reveal the personal data as described. The ICO immediately launched an investigation into the joint Home Office and Foreign and Commonwealth Office Directorate responsible for visa processing. The FCO cooperated fully with the ICO during the course of the investigation and provided the ICO with an independent report into the breach.
The ICO has now required the FCO to sign a formal undertaking to comply with the principles of the Data Protection Act. Failure to meet the terms of the undertaking is likely to lead to further enforcement action by the ICO.
Mick Gorrill, Assistant Commissioner at the ICO, said: "Organisations have a duty under the Data Protection Act to keep our personal information secure. If organisations fail to take this responsibility seriously, they not only leave individuals vulnerable to identity theft but risk losing individuals' confidence and trust. We investigate any organisation in breach of the Act and will not hesitate to take appropriate action."
It's not every day that a blog such as this can claim credit for giving the government a swift and very much deserved kick in the nether regions.
