Back in May, I broke the story on DaniWeb in this very blog of how the online application facility for UK visas was not only insecure, but that it had potentially been so for years. The company concerned, VFS Global, which operated the visa online application form filing service on behalf of the UK government in India and other countries, had such Mickey Mouse security in place that anyone could easily get hold of the full application form information of anyone who had made such an application. That's anyone as is terrorist, identity thief, innocent applicant stumbling across the information or even an investigative journalist. The story quickly gathered momentum, and featured as the lead on Channel 4 News in the UK after I brought it to their attention and aided with the investigation.

Today, the UK Information Commissioner's Office (ICO) has found the Foreign and Commonwealth Office (FCO) in breach of the Data Protection Act following an investigation into that application facility security fiasco.

This follows on from an independent report, instigated by the UK Foreign Secretary at the time, and conducted by Linda Costelloe Baker in June which concluded that the VFS operated online application system should not be re-opened. Indeed, it has remained closed ever since I first brought the security problem to light back in May.

I alerted the ICO the very first day that the security breach became clear, following my own 'testing' of the database and discovery that it could indeed be easily hacked to reveal the personal data as described. The ICO immediately launched an investigation into the joint Home Office and Foreign and Commonwealth Office Directorate responsible for visa processing. The FCO cooperated fully with the ICO during the course of the investigation and provided the ICO with an independent report into the breach.

The ICO has now required the FCO to sign a formal undertaking to comply with the principles of the Data Protection Act. Failure to meet the terms of the undertaking is likely to lead to further enforcement action by the ICO.

Mick Gorrill, Assistant Commissioner at the ICO, said: "Organisations have a duty under the Data Protection Act to keep our personal information secure. If organisations fail to take this responsibility seriously, they not only leave individuals vulnerable to identity theft but risk losing individuals' confidence and trust. We investigate any organisation in breach of the Act and will not hesitate to take appropriate action."

It's not every day that a blog such as this can claim credit for giving the government a swift and very much deserved kick in the nether regions.

About the Author

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.