Back in May, I broke the story on DaniWeb in this very blog of how the online application facility for UK visas was not only insecure, but that it had potentially been so for years. The company concerned, VFS Global, which operated the visa online application form filing service on behalf of the UK government in India and other countries, had such Mickey Mouse security in place that anyone could easily get hold of the full application form information of anyone who had made such an application. That's anyone as is terrorist, identity thief, innocent applicant stumbling across the information or even an investigative journalist. The story quickly gathered momentum, and featured as the lead on Channel 4 News in the UK after I brought it to their attention and aided with the investigation.

Today, the UK Information Commissioner's Office (ICO) has found the Foreign and Commonwealth Office (FCO) in breach of the Data Protection Act following an investigation into that application facility security fiasco.

This follows on from an independent report, instigated by the UK Foreign Secretary at the time, and conducted by Linda Costelloe Baker in June which concluded that the VFS operated online application system should not be re-opened. Indeed, it has remained closed ever since I first brought the security problem to light back in May.

I alerted the ICO the very first day that the security breach became clear, following my own 'testing' of the database and discovery that it could indeed be easily hacked to reveal the personal data as described. The ICO immediately launched an investigation into the joint Home Office and Foreign and Commonwealth Office Directorate responsible for visa processing. The FCO cooperated fully with the ICO during the course of the investigation and provided the ICO with an independent report into the breach.

The ICO has now required the FCO to sign a formal undertaking to comply with the principles of the Data Protection Act. Failure to meet the terms of the undertaking is likely to lead to further enforcement action by the ICO.

Mick Gorrill, Assistant Commissioner at the ICO, said: "Organisations have a duty under the Data Protection Act to keep our personal information secure. If organisations fail to take this responsibility seriously, they not only leave individuals vulnerable to identity theft but risk losing individuals' confidence and trust. We investigate any organisation in breach of the Act and will not hesitate to take appropriate action."

It's not every day that a blog such as this can claim credit for giving the government a swift and very much deserved kick in the nether regions.

128 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Dani 1,760

Awesome work, Davey!