Memo reveals multiple breaches of ID card database
The database that will take a central role in the national identity-card scheme has been breached more than 30 times since 2006.
The breaches of the Customer Information System (CIS), which is run by the Department of Work and Pensions, were revealed in a DWP memo to housing benefit and council tax benefit staff on 15 January.
CIS is designed to give local authorities access to citizens' data, including HMRC tax-credit information. In 2006, it was decided that the ID card project would use CIS for biographical information, to avoid having to create a new, monolithic database of the UK's inhabitants.
In the DWP memo, the government department said that desktop access to CIS had helped to "significantly improve service delivery" to citizens, but noted that a series of checks had identified that some local-authority staff were committing serious security breaches using the system.
On Wednesday, a spokesperson for the Department of Work and Pensions told ZDNet UK that 33 such breaches had been identified since 2006, but said the breaches were not necessarily intentional.
"The breaches were not necessarily someone purposely going on there and checking something they shouldn't," the DWP spokesperson said. "They could be inadvertently clicking on information."
The departmental memo reminded local-authority staff of CIS access rules. These are: staff cannot access their own records or the records of friends, relatives, partners or acquaintances; they cannot make enquiries on behalf of colleagues in respect of their friends, relatives, partners or acquaintances; they cannot share their system, Government Gateway or other identity password with their colleagues; and they must not access CIS for any unauthorised purpose.
The DWP's spokesperson did not respond to a request to describe how it might be possible to break these rules by inadvertently clicking on information in the CIS database, but did claim the number of breaches revealed in the memo showed the system was secure.
"The small number of breaches shows that the CIS security system is working and is protected by several different audit and monitoring controls, which actively manage and report attempts at unauthorised or inappropriate access," the spokesperson said.
The security analyst firm NCC Group said on Wednesday that the breaches showed the general inexperience of local authorities when dealing with large amounts of sensitive data.
Pointing out that it was "incredibly difficult" to know the true scale and frequency of such breaches, NCC Group director Ken Munro said in a statement that "central government understands protective marking of sensitive data, and vets staff appropriately, while many local authorities are found wanting in this area".
"Access to data such as this must be purely on a need-to-know basis, and should be carefully logged and reviewed on a regular basis," Munro said. "Personal data is of great use to the identity thief, and taking into account the number of individuals with access to the DWP CIS database, it would not be surprising if a small number could be coerced into extracting information for the needs of fraudsters."
Susan Hall, an ICT specialist at the law firm Cobbetts, said the news of the breaches "must be the final nail in the coffin for the government's national ID card programme".
"If council staff are able to snoop at our records so easily and undetected for so long, then how can an even larger and more complex database be safe?" Hall asked. "It has been reported that 'routine checks' unearthed these cases but if there are breaches dating back to 2006, then they are not proving very effective. Such negligence reinforces the need for custodial sentences for breaches of the Data Protection Act."
Asked whether the fact that it took up to two years for the breaches to come to light meant such events were not being picked up in time, the DWP's spokesperson claimed CIS control systems "actively manage and report attempts at unauthorised or inappropriate access on an ongoing basis".
"Checks are generated after the accesses and are followed up immediately by investigations where no business justification is apparent," the spokesperson added.