DaniWeb story leads to UK Foreign Office being in breach of Data Protection Act


Back in May, I broke the story on DaniWeb in this very blog of how the online application facility for UK visas was not only insecure, but that it had potentially been so for years. The company concerned, VFS Global, which operated the visa online application form filing service on behalf of the UK government in India and other countries, had such Mickey Mouse security in place that anyone could easily get hold of the full application form information of anyone who had made such an application. That's anyone as is terrorist, identity thief, innocent applicant stumbling across the information or even an investigative journalist. The story quickly gathered momentum, and featured as the lead on Channel 4 News in the UK after I brought it to their attention and aided with the investigation.

Today, the UK Information Commissioner's Office (ICO) has found the Foreign and Commonwealth Office (FCO) in breach of the Data Protection Act following an investigation into that application facility security fiasco.

This follows on from an independent report, instigated by the UK Foreign Secretary at the time, and conducted by Linda Costelloe Baker in June which concluded that the VFS operated online application system should not be re-opened. Indeed, it has remained closed ever since I first brought the security problem to light back in May.

I alerted the ICO the very first day that the security breach became clear, following my own 'testing' of the database and discovery that it could indeed be easily hacked to reveal the personal data as described. The ICO immediately launched an investigation into the joint Home Office and Foreign and Commonwealth Office Directorate responsible for visa processing. The FCO cooperated fully with the ICO during the course of the investigation and provided the ICO with an independent report into the breach.

The ICO has now required the FCO to sign a formal undertaking to comply with the principles of the Data Protection Act. Failure to meet the terms of the undertaking is likely to lead to further enforcement action by the ICO.

Mick Gorrill, Assistant Commissioner at the ICO, said: "Organisations have a duty under the Data Protection Act to keep our personal information secure. If organisations fail to take this responsibility seriously, they not only leave individuals vulnerable to identity theft but risk losing individuals' confidence and trust. We investigate any organisation in breach of the Act and will not hesitate to take appropriate action."

It's not every day that a blog such as this can claim credit for giving the government a swift and very much deserved kick in the nether regions.

Member Avatar
Davey Winder

I've been a freelance word punk for more than two decades and for the last few years an Editorial Fellow at Dennis Publishing. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011. As well as working for DaniWeb I have been a Contributing Editor with PC Pro (the best selling IT magazine in the UK) for twenty years.


Awesome work, Davey!

Isn't it about time forums rewarded their contributors?

Earn rewards points for helping others. Gain kudos. Cash out. Get better answers yourself.

It's as simple as contributing editorial or replying to discussions labeled or OP Kudos

This is an OP Kudos discussion and contributors may be rewarded
Start New Discussion
View similar articles that have also been tagged: