U.K. government slammed over bug in outsourced Web site
Visa applicants' personal details revealed to hackers over the Web
Computerworld UK - An investigation into a security bug on a Web site used to apply for U.K. visas has painted a damning picture of "organizational failures" by a government agency and its contractor.
The online U.K. visa application Web site for people in India, Russia and Nigeria was provided by VFS Global, a commercial partner of the joint Foreign Office and Home Office agency, UKVisas.
Ministers pledged an inquiry after the site was closed down in May following publicity over the security bug, which made personal details of visa applicants easily accessible to hackers.
The report by independent investigator Linda Costelloe Baker slams UKVisas' outsourcing of the online service to a firm that is not an IT specialist, the contractor's performance, and the failure to respond adequately when the security hole was first revealed by Indian national Sanjib Mitra in December 2005.
There had been "inadequate central control of the moves to outsourcing" and contracts had paid "insufficient attention to the requirements of the Data Protection Act and to basic IT security".
Costelloe Baker added: "UKVisas was undoubtedly relieved to have the practical administrative assistance provided by outsourcing, but it did not obtain adequate third party or expert assurances that the VFS IT system was robust, even before VFS was allowed to start up an online system."
UKVisas should have made its expectations clearer, Costelloe Baker said, and the contracts drawn up by UKVisas "lacked specificity".
She cited an expert view that the VFS online system "was so poor that it should be completely rewritten". One expert described it as "an upside down pyramid, where piling more levels of changes and processes on the top only makes it more likely to fall over".
Since the debacle, VFS had accepted "that it is not an IT company and that it needs to outsource its software writing", Costelloe Baker said. VFS had been keen to grow a new business -- but in doing so it paid insufficient attention to the level of its own IT skills and abilities.
UKVisas "reacted inadequately" to notifications of the data security vulnerability from three people, the investigation found. Costelloe Baker said: "I do not find it acceptable for a complaint to be simply passed on to a third party -- VFS in this case -- for a response."
VFS took "some remedial action in January 2006" after the flaw was first revealed, but this appeared to have been ineffective in solving the problem. Mitra went public when the bug remained unfixed 18 months later.
In a scathing verdict, Costelloe Baker said: "In my view, there is no evidence to support any finding relating to the competence or performance of specific UKVisas' staff -- the problems were far wider than that.
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!