Last year I exposed a security breach involving the online collection of applications for visa documents allowing Indian citizens to visit the UK, an expose that ended up with the UK government itself being found guilty of breaking the Data Protection Act and which kick-started something of a sea change in the way that such online applications are handled. You might think, therefore, that the company at the heart of that scandal would have cleaned up its act when it came to security. Unfortunately, communications with a former VP responsible for business development at VFS suggests otherwise.
Suprit Roy used to be responsible for new project rollouts at VFS before resigning from the company on 10th December 2007. He claims that the whole visa application database security scandal was caused by an underlying lack of commitment to enforcing discipline, standards and ethics at a senior management level. "It was only after your expose got broadcast on Channel 4 and the FCO sent in Independent Investigator Linda Baker-Costelloe that the company acted reactively to enforce some IT security practices" Roy says. He also says that despite this, not enough has been done at the most basic levels of security and cites his own corporate email account as evidence.
Most companies which not only understand security issues but take them seriously are quick to act when any employee leaves, let alone someone of VP status, to sanitize the email account associated with them. There are plenty of methods that fall within best practice to ensure that incoming corporate email is forwarded to another account without leaving access open to the ex member of staff. However, Roy claims that when speaking to a former colleague this weekend it was revealed in passing that his former official email account continued to be live within the company system. Using the Outlook Web Access browser to enter his user name, Roy discovered this to indeed be the case.
So why is Roy telling us this? Certainly there seems to be a certain amount of antagonism in his parting from VFS. He readily admits that he "left the company in disgust because I felt that the top management was unwilling to enforce the discipline and best practices required to run a business in an ethical manner." Yet whatever his motives, it does seem to reveal another apparent lack of regard for basic security principles within VFS. It also exposes the kind of problem which is all too often assumed to be of so little importance that it does not matter within the grand scheme of things. Truth be told, security and confidentiality and ethics are all wrapped up together and should be treated with the same level of respect no matter how big or small the particular issue at hand. Being sloppy with the small sketches has a nasty tendency to indicate that the bigger picture is not being drawn with a sharp enough pencil either…