U.K.'s Home Office admits to database breaches

The government agency says four of five incidents involved members of staff accessing databases for unauthorized purposes.
Written by Tom Espiner, Contributor
The Home Office has admitted that the security of its ID and passport service database has been compromised several times, but denied that remote hackers were responsible.

In a response to a parliamentary question at the end of last week, the Home Office said it had had five security breaches in five years, mostly caused by civil service staff.

"The security breaches didn't involve people hacking into the systems," a Home Office representative told ZDNet UK on Thursday.

Four of the five incidents involved members of staff accessing the ID and Passport databases for unauthorized purposes. Three used their systems access privileges to conduct checks that were "not connected to their duties", according to an ID and Passport service spokesman, while in the other breach the staff member "misused data he was entitled to access".

In each of the cases "disciplinary action resulting in dismissal was undertaken," with one staff member "resigning before the proceedings came to an end," the spokesman said.

The fifth security breach occurred in a prison service system, when a "technical failure" caused the system to crash. The system has since been replaced, according to the Home Office.

The ID and Passport Service (IPS) said that this does not affect the ID card project, which will involve a massive database of personal and biometric data. Security experts have raised questions about how secure a national identity database linked to the government's ID card plan could be.

"The IPS takes the protection of systems and data very seriously. A range of protection and procedures are in place to prevent the misuse or abuse of official systems and to detect it where it does occur. IPS is committed to investigating any such misuse or abuse, and will deal with it in the strongest manner," the spokesman said.

However, the IPS admitted that the security breaches had still occurred, even with the protection systems in place.

"At the end of the day it's an issue of trust," the spokesman said. "People are security vetted, but trust can be breached. Anyone identified as breaching the system will be treated severely."

Tom Espiner of ZDNet UK reported from London.

Editorial standards