Skip the navigation

U.K. government slammed over bug in outsourced Web site

Visa applicants' personal details revealed to hackers over the Web

By Tash Shifrin
August 10, 2007 12:00 PM ET

Computerworld UK - An investigation into a security bug on a Web site used to apply for U.K. visas has painted a damning picture of "organizational failures" by a government agency and its contractor.

The online U.K. visa application Web site for people in India, Russia and Nigeria was provided by VFS Global, a commercial partner of the joint Foreign Office and Home Office agency, UKVisas.

Ministers pledged an inquiry after the site was closed down in May following publicity over the security bug, which made personal details of visa applicants easily accessible to hackers.

The report by independent investigator Linda Costelloe Baker slams UKVisas' outsourcing of the online service to a firm that is not an IT specialist, the contractor's performance, and the failure to respond adequately when the security hole was first revealed by Indian national Sanjib Mitra in December 2005.

There had been "inadequate central control of the moves to outsourcing" and contracts had paid "insufficient attention to the requirements of the Data Protection Act and to basic IT security".

Costelloe Baker added: "UKVisas was undoubtedly relieved to have the practical administrative assistance provided by outsourcing, but it did not obtain adequate third party or expert assurances that the VFS IT system was robust, even before VFS was allowed to start up an online system."

UKVisas should have made its expectations clearer, Costelloe Baker said, and the contracts drawn up by UKVisas "lacked specificity".

She cited an expert view that the VFS online system "was so poor that it should be completely rewritten". One expert described it as "an upside down pyramid, where piling more levels of changes and processes on the top only makes it more likely to fall over".

Since the debacle, VFS had accepted "that it is not an IT company and that it needs to outsource its software writing", Costelloe Baker said. VFS had been keen to grow a new business -- but in doing so it paid insufficient attention to the level of its own IT skills and abilities.

UKVisas "reacted inadequately" to notifications of the data security vulnerability from three people, the investigation found. Costelloe Baker said: "I do not find it acceptable for a complaint to be simply passed on to a third party -- VFS in this case -- for a response."

VFS took "some remedial action in January 2006" after the flaw was first revealed, but this appeared to have been ineffective in solving the problem. Mitra went public when the bug remained unfixed 18 months later.

In a scathing verdict, Costelloe Baker said: "In my view, there is no evidence to support any finding relating to the competence or performance of specific UKVisas' staff -- the problems were far wider than that.

This article is reprinted by permission from ComputerworldUK.com. Copyright (c) 2012 Computerworld UK. All rights reserved.
Our Commenting Policies