U.K. government slammed over bug in outsourced Web site
Visa applicants' personal details revealed to hackers over the Web
Computerworld UK - An investigation into a security bug on a Web site used to apply for U.K. visas has painted a damning picture of "organizational failures" by a government agency and its contractor.
The online U.K. visa application Web site for people in India, Russia and Nigeria was provided by VFS Global, a commercial partner of the joint Foreign Office and Home Office agency, UKVisas.
Ministers pledged an inquiry after the site was closed down in May following publicity over the security bug, which made personal details of visa applicants easily accessible to hackers.
The report by independent investigator Linda Costelloe Baker slams UKVisas' outsourcing of the online service to a firm that is not an IT specialist, the contractor's performance, and the failure to respond adequately when the security hole was first revealed by Indian national Sanjib Mitra in December 2005.
There had been "inadequate central control of the moves to outsourcing" and contracts had paid "insufficient attention to the requirements of the Data Protection Act and to basic IT security".
Costelloe Baker added: "UKVisas was undoubtedly relieved to have the practical administrative assistance provided by outsourcing, but it did not obtain adequate third party or expert assurances that the VFS IT system was robust, even before VFS was allowed to start up an online system."
UKVisas should have made its expectations clearer, Costelloe Baker said, and the contracts drawn up by UKVisas "lacked specificity".
She cited an expert view that the VFS online system "was so poor that it should be completely rewritten". One expert described it as "an upside down pyramid, where piling more levels of changes and processes on the top only makes it more likely to fall over".
Since the debacle, VFS had accepted "that it is not an IT company and that it needs to outsource its software writing", Costelloe Baker said. VFS had been keen to grow a new business -- but in doing so it paid insufficient attention to the level of its own IT skills and abilities.
UKVisas "reacted inadequately" to notifications of the data security vulnerability from three people, the investigation found. Costelloe Baker said: "I do not find it acceptable for a complaint to be simply passed on to a third party -- VFS in this case -- for a response."
VFS took "some remedial action in January 2006" after the flaw was first revealed, but this appeared to have been ineffective in solving the problem. Mitra went public when the bug remained unfixed 18 months later.
In a scathing verdict, Costelloe Baker said: "In my view, there is no evidence to support any finding relating to the competence or performance of specific UKVisas' staff -- the problems were far wider than that.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts