U.K. government slammed over bug in outsourced Web site
Visa applicants' personal details revealed to hackers over the Web
Computerworld UK - An investigation into a security bug on a Web site used to apply for U.K. visas has painted a damning picture of "organizational failures" by a government agency and its contractor.
The online U.K. visa application Web site for people in India, Russia and Nigeria was provided by VFS Global, a commercial partner of the joint Foreign Office and Home Office agency, UKVisas.
Ministers pledged an inquiry after the site was closed down in May following publicity over the security bug, which made personal details of visa applicants easily accessible to hackers.
The report by independent investigator Linda Costelloe Baker slams UKVisas' outsourcing of the online service to a firm that is not an IT specialist, the contractor's performance, and the failure to respond adequately when the security hole was first revealed by Indian national Sanjib Mitra in December 2005.
There had been "inadequate central control of the moves to outsourcing" and contracts had paid "insufficient attention to the requirements of the Data Protection Act and to basic IT security".
Costelloe Baker added: "UKVisas was undoubtedly relieved to have the practical administrative assistance provided by outsourcing, but it did not obtain adequate third party or expert assurances that the VFS IT system was robust, even before VFS was allowed to start up an online system."
UKVisas should have made its expectations clearer, Costelloe Baker said, and the contracts drawn up by UKVisas "lacked specificity".
She cited an expert view that the VFS online system "was so poor that it should be completely rewritten". One expert described it as "an upside down pyramid, where piling more levels of changes and processes on the top only makes it more likely to fall over".
Since the debacle, VFS had accepted "that it is not an IT company and that it needs to outsource its software writing", Costelloe Baker said. VFS had been keen to grow a new business -- but in doing so it paid insufficient attention to the level of its own IT skills and abilities.
UKVisas "reacted inadequately" to notifications of the data security vulnerability from three people, the investigation found. Costelloe Baker said: "I do not find it acceptable for a complaint to be simply passed on to a third party -- VFS in this case -- for a response."
VFS took "some remedial action in January 2006" after the flaw was first revealed, but this appeared to have been ineffective in solving the problem. Mitra went public when the bug remained unfixed 18 months later.
In a scathing verdict, Costelloe Baker said: "In my view, there is no evidence to support any finding relating to the competence or performance of specific UKVisas' staff -- the problems were far wider than that.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts